GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES"

Transcription

1 GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

2 CONTENT 1. WHY A CLOUD COMPUTING GUIDE? WHAT IS CLOUD COMPUTING? WHAT ARE THE ROLES OF THE CLOUD SERVICES PROVIDER AND OF THE CLOUD SERVICES CLIENT? WHAT ARE THE RESPONSIBILITIES FROM THE PERSPECTIVE OF DATA PROTECTION? WHAT CATEGORIES OF DATA MAY FORM THE OBJECT OF CLOUD SERVICES? HOW DO I PROTECT DATA PROCESSED IN THE CONTEXT OF CLOUD SERVICES? WHICH FORMALITIES MUST BE FULFILLED FOR THE USE OF CLOUD SERVICES? What information must be provided to the persons whose data is processed? Is consent required for including data in Cloud? Is notification of the Supervisory Authority required? Is it necessary to obtain an authorization from the Supervisory Authority for the transfer of the data? HOW DO I CHOOSE A CLOUD SERVICES PROVIDER? What provisions are mandatory to be included in the Cloud Services agreement? What are the mandatory clauses to be included in the agreement in all cases? What clauses are mandatory in case the Cloud Services Provider uses subcontractors? What clauses are mandatory in the case of data transfer to states which do not ensure an adequate level of protection of the data? What provisions are recommended to be included in the contract? How do I ensure transparency regarding the processing of the data in Cloud? Should I limit the purpose for which personal data is processed? What rules regarding the deletion or return of the data would are reccomendable? How do I ensure that the rights of the data subjects are respected? How do I ensure that the Cloud Services Provider presents sufficient guarantees regarding the security of the data? ANNEX 1. DETAILS REGARDING THE INFORMATION OF DATA SUBJECTS WITH RESPECT TO THE PROCESSING OF THEIR DATA IN THE CLOUD CONTEXT ANNEX 2. DETAILS REGARDING THE NOTIFICATION OF THE DATA PROCESING IN THE CLOUD CONTEXT WHY A CLOUD COMPUTING GUIDE? (1) Considering that the rapid adoption and promotion of cloud computing is one of the priorities of the 2020 Digital Agenda 1, the National Supervisory Authority for Personal Data Processing (hereinafter the "Supervisory Authority") finds it useful to issue this 1 Unleashing the potential of cloud computing in Europe, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, SWD(2012) 271, available at 2

3 guide regarding the practices and procedures which it considers necessary or recommendable when an entity selects its cloud computing (hereinafter, the "Cloud Services") service provider, as well as regarding the obligations of the Cloud Services client, from the perspective of ensuring the lawfulness of the processing of personal data (hereinafter, the "Guide"). The Guide is meant to be a support tool in three directions: (a) (c) to help potential Cloud Services clients to choose those providers which ensure sufficient guarantees regarding the protection and security of the data; to offer indications to Cloud Services providers about the requirements which the Supervisory Authority considers that they should observe while providing the service; to familiarize the Cloud Services clients with the applicable formalities from the perspective of the personal data protection legislation for the compliant use of these services. (2) From a terminological perspective, the key concepts used in this Guide are: (a) the Cloud Services client represents the entity 2 which benefits from the services, surcharge, establishing the purpose and extent of the use of the service (hereinafter, the "Cloud Services Client"); and the Cloud Services provider represents the professional (company) which offers a Cloud Service (hereinafter, the "Cloud Services Provider"). (3) Since the cloud computing technology can bring a number of significant advantages to entrepreneurs, especially to small and medium-sized enterprises 3, it is expected for the adoption of Cloud Services to represent a legitimate interest of the entrepreneurs and to increase constantly over the future period. However, potential Cloud Services Clients must understand that the transition from an internal IT system to the use of Cloud Services involves, in the large majority of cases, the transfer of personal data processed by the client to the Cloud Services Provider. We emphasize in this context that the concepts of "personal data" and "processing" thereof have a very wide meaning 4, therefore any situation where data held by the client, which allow the identification of a person, may be stored, accessed, modified, transferred or processed in another way by the Cloud Services Provider, may represent a transfer of personal data from the Cloud Services Client to the Cloud Services Provider. (4) From the perspective of personal data protection, the legal framework applicable to the Cloud Services consists in the following main regulations in the field: 2 This guide does not refer to the situation where the Cloud Services are intended for consumers (respectively individuals), although the recommendations are largely applicable also in such case. 3 Idem note 1. 4 Please refer to Opinion 4/2007 on the concept of personal data (WP 136), available at 3

4 (a) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, implemented in Romanian law by Law No. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data; Directive 95/46/EC, respectively Law No. 677/2001, apply both if the data controller (the Cloud Services Client) is established in the European Union as well as if the controller is established outside the European Union but uses equipment located in the Union, respectively Romania, for the processing of personal data (for example, data centers, servers, etc.); (c) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the public communications sector, implemented in Romanian law by Law No. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector; Decision of the Supervisory Authority No. 132/2011 concerning the conditions for the processing of the personal numeric code and of other personal data having an identification function of general applicability 5. (5) Without having a normative character, the interpretative opinions issued by the Art. 29 Working Party 6, especially Opinion 05/2012 on Cloud Computing 7, are an important tool for the interpretation and application of the above-mentioned regulations. (6) Depending on the field of activity of the Cloud Services Client other legislation or regulations in specific areas may also be applicable. 2. WHAT IS CLOUD COMPUTING? (7) In its Communication on Unleashing the potential of cloud computing in Europe (2012), the European Commission defined the concept of cloud computing as "the storing, processing and use of data on remotely located computers accessed over the internet 8, definition that captures the three defining elements: (a) providing processing capacity (storage, modification, compilation, etc.); on client demand, which means that the service is scalable according to client needs; 5 Can be accesed at 6 Available at Art. 29 Working Party is an independent body, made up of representatives of the data protection supervisory authorities from the European Union countries, representatives of the designated authority for personal data protection matters for the institutions of the European Union and a European Commission representative. Art. 29 Working Party was established on the basis of Directive 95/46/ EC and, among others, may issue recommendations on any aspect concerning the protection of individuals from the perspective of the processing of their data. 7 Opinion 05/2012 on Cloud Computing of Art. 29 Working Party is available at 8 Idem note 1. 4

5 (c) through remote infrastructure, which involves either the use of an Internet connection (most often), or the use of a private network. (8) Depending on the operating mode, cloud environments may be classified as follows 9 : (a) (c) Private cloud type of cloud hosted for or by a single entity in a private network, most often exploited internally, within which only parties from the respective entity may share resources; Hybrid cloud type of cloud which represents a combination of public cloud and private cloud, for example applications hosted in the public cloud, but with local storage of information; Public cloud type of cloud which is available to the general public or to a multitude of entities to contract, being owned and operated by a third party cloud provider. This type of cloud is considered in this Guide when referring to "cloud computing". (9) Depending on the type of service, there are three major categories of Cloud Services: 10 : (a) (c) Infrastructure as a Service (IaaS) consists in the use of primary computing resources (servers, storage or network infrastructure for developing, running and storing applications and data in cloud environments) through a remote connection. Art. 29 Working Party 11 mentions as practical applications of this service category, for example, offering for rental technological infrastructure which provides the option of replacing information technology systems at the headquarters of the beneficiary and/ or of using leased infrastructure alongside the beneficiary's own systems. Platform as a Service (PaaS) consists in the design, development, testing, implementation and hosting of applications on web platforms. Art. 29 Working Party considers that this type of service targets, as a rule, the beneficiaries which intend to use them in order to develop and host solutions based on proprietary applications, in order to meet requirements set internally and/ or to provide services to third parties 12. Software as a Service (SaaS) consists in using a web browser as a platform from which applications and web-based services are running, being the best known and most accessible form of Cloud Services for the regular user. 9 Please refer in this regard also to Opinion 05/2012 on Cloud Computing of Art. 29 Working Party, idem supra note 7 10 Please refer in this regard also to Opinion 05/2012 on Cloud Computing of Art. 29 Working Party, idem supra note Idem supra note 7, pag Idem supra note 7, pag. 30 5

6 Although generally the Cloud Services Client has a limited margin for the negotiation of the contractual terms and cannot intervene regarding the technical and administrative measures related to the functioning of the service and which are determined by the Cloud Services Provider, this is not liable to change the qualification of the Cloud Services Client as controller because this one continues to hold the power of decision to use or to cease using the Cloud Service, as well as regarding the purpose and the extent of such use. At most, the concrete circumstances and the extent of the decision-making powers granted to the Cloud Services Provider may lead to the conclusion that this latter is a joint controller. In practice, this service may take the form, for example 13, of various web-based applications, such as computerized registries and agendas, shared calendars, applications, text processing tools. (10) Sometimes the above types are combined (layered) so that, for example, the Cloud Services Client may use an application (SaaS) developed by provider A on a platform (PaaS) owned by provider B which uses Infrastructure (IaaS) from provider C 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES PROVIDER AND OF THE CLOUD SERVICES CLIENT? (11) Personal data protection law applies when a personal data processing operation occurs. Considering the very broad scope of both terms 14, the vast majority of operations that may occur in the cloud (including mere storage) regarding personal data falls under the definition of processing, thus drawing the application specific regulations. (12) In the context of Cloud Services, in most cases the Cloud Services Client is the personal data controller (respectively, the natural or legal person, private law or public law, including public authorities, institutions and territorial structures thereof, which establishes the purpose and the means of the personal data processing). This conclusion results from the fact that the service is at the discretion of the Cloud Services Client, the latter setting the purpose of the use, the timing and the extent of the service. (13) In the usual situation in which the Cloud Services Provider is processing personal data on behalf of and exclusively in the interest of the Cloud Services Client, the Cloud Services Provider will be qualified as data processor. But if the Cloud Services Provider holds 13 Idem supra note 7, pag Personal data is any information relating to an identified or identifiable natural person; an identifiable person is the person who may be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Personal data processing represents any operation or set of operations which is performed upon personal data, by automatic or non-automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure to third parties by transmission, dissemination or otherwise, alignment or combination, blocking, erasure or destruction Please refer to Art. 3 of Law No. 677/2001 and Opinion 4/2007 (WP 136) on the concept of personal data available at 6

7 attributions in establishing the purpose of the processing (for example, if it has the right to process personal data in its own interest, such as for marketing), the Cloud Services Provider becomes in its turn a controller, subject to the requirements specific to this category. (14) It is also possible the situation in which the Cloud Services Provider has no position (controller or processor) from the perspective of the personal data protection regulations, namely in the case where no personal data is involved in the performance of the service between the Cloud Services Provider and Cloud Services Client. This may occur when the data processed is not related to persons (an example in this sense would be rendering farms, whereby technical information is processed). Also, a particular case in which Cloud Services Provider has no position in terms of data protection regulations although the data were originally personal data, is where the data was unidirectional encrypted before transfer to the cloud provider, a situation detailed in paragraph (19) below. 4. WHAT ARE THE RESPONSIBILITIES FROM THE PERSPECTIVE OF DATA PROTECTION? (15) Law No. 677/2001 establishes on the controller the responsibility for compliance with all the requirements set out in this law, including the general principles governing any processing and specific information requirements, ensuring a legal basis for the processing, the protection of the data, etc. (16) For this reason (but not only) it is important for the Cloud Services Client to ensure, before contracting a Cloud Service, that it may use this service in compliance with all the obligations incumbent upon it under Law No. 677/2001 and the applicable secondary legislation. (17) In usual circumstances, where the Cloud Services Client is controller and the Cloud Services Provider is data processor, the allocation of responsibilities arising from the applicable law between the Cloud Services Client and the Cloud Services Provider may be summarized as follows: Selecting data categories The confidentiality and security obligation Informing the data subject Establishing the legal basis of the processing Notification with the Supervisory Authority (if the case) Authorization of the data transfer Ensuring the exercise of the data subjects' rights Cloud Services Client Cloud Services Client + Cloud Services Provider (only based on express contractual obligations) Cloud Services Client Cloud Services Client Cloud Services Client Cloud Services Client Cloud Services Client + Cloud Services Provider (only based on express contractual obligations) 7

8 5. WHAT CATEGORIES OF DATA MAY FORM THE OBJECT OF CLOUD SERVICES? (18) In accordance with personal data protection law, personal data may be "simple" data or special data, this last category including those related to racial or ethnic origin, political, religious, philosophical or similar opinions, trade union membership, personal data concerning health or sex life, as well as personal data having an identification function of general applicability (personal numeric code, series and number of identity card / passport, driving license number, etc). (19) When personal data is unidirectional encrypted before the transfer to cloud provider (aspect especially possible for the cases of IaaS and PaaS, and to a lesser extent for SaaS), the personal data protection obligations are applicable only in what regards the Cloud Services Client (the controller), not being applicable in what regards the client-provider relationship. Therefore, although the Cloud Services Client (the controller) which holds the encryption key has always the possibility to reverse the process (which means that the data does not become anonymous), the Cloud Services Provider cannot reconstruct the original information, so that from its perspective the data is not personal data. (20) Another important aspect is the way in which this data will be processed in the cloud, being recommendable that the right of the Cloud Services Provider to process in its own interest personal data should as limited as possible (and in any case well determined contractually), and in the case of special data to be prohibited. (21) Of course, the more sensitive the data processed, the more the Cloud Services Client should ensure that the level of security offered by the Cloud Services Provider is higher (including by reference to the applicable security requirements). (22) Considering that data processing is subject to specific rules, stricter in case of special data, it is important for the potential Cloud Services Client to perform an assessment, in order to determine if it is necessary to transfer (all) this personal data towards the Cloud Services Provider. It is, also, necessary to examine potential safety measures which can be taken in order to keep the data in appropriate security conditions. (23) When the processing of a certain special category of personal data is made by the Cloud Services Client on the basis of a legal obligation or in the cases provided at art. 7 paragraph (2), art. 8 paragraph (1) or art. 9 paragraph (1) of Law No. 677/2001, then the contracting of a Cloud Service will be allowed and will not be subject to special conditions if the following special conditions are met cumulatively: [Note for the consideration of ANSPDCP: to be discussed depending on the Authority's availability to modify Decision No. 132/2011 concerning the conditions for the processing of the personal numeric code and of other personal data having an identification function of general applicability] 8

9 (a) (c) (d) (e) (f) (g) (h) the identification of the categories of data and of the legal provisions which require the processing thereof, as well as the reasons for which this data is processed in cloud are thoroughly documented by the Cloud Services Client; contractual provisions prohibit the processing of the personal data by the Cloud Services Provider in its own interest; the data centers whereby the data is processed are located within the European Economic Area (hereinafter, "EEA"); the Cloud Services Provider performs a security assessment/audit through either internal resources or external auditor, and offers annually to the client, upon client s request and free of charge, the conclusions of the security assessment report; the Cloud Services Provider guarantees contractually that all subcontractors used meet the same level of security and confidentiality; the Cloud Services Provider guarantees the complete erasure of all copies of the personal data processed on behalf of the Cloud Services Client, in a welldetermined period (established contractually) from the request of the Cloud Services Client or upon the contract ending for any reason; the Cloud Services Client, as data controller, ensures the observance of the data subjects' rights, especially the right to full and accurate information; the Cloud Services Client notifies the personal data processing to the Supervisory Authority. (24) The categories of data are which is not directly obtained from the data subject may include both data generated by the Cloud Services Client (e.g., user name and initial preset password) and data generated during the use of the Cloud Services (e.g., traffic data regarding the access of the users to resources available through Cloud Services), so it is necessary to clarify all these types of data with the Cloud Services Provider. 6. HOW DO I PROTECT DATA PROCESSED IN THE CONTEXT OF CLOUD SERVICES? (25) The data controller operator is obliged, according to Art. 20 of Law No. 677/2001, to ensure data security, irrespective of whether it is processed directly by the controller or through data processors. (26) In accordance with Art. 20 paragraph (1) and paragraph (5) letter b). of Law No. 677/2001, the data controller is required to ensure contractually that any data processor applies appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, unauthorized alteration, disclosure or access as well as against any other unlawful forms of processing. In the context of Cloud Services, 9

10 the Cloud Services Client is responsible for the way in which the Cloud Services Provider fulfills in practice these obligations. (27) The Cloud Services Client remains directly responsible for the implementation of the data protection measures pertaining to its own operations (e.g., training own employees regarding the rules on personal data protection, establish rules regarding the access to terminals whereby personal data is processed, imposing on own employees the obligation of confidentiality regarding the personal data to which they have access, etc.). (28) In analyzing data security measures applicable by the Cloud Services Provider 15, the Cloud Services Client should consider also the minimum data security measures regulated by secondary personal data protection legislation, currently Ombudsman Order No. 52/ (if the Cloud Services Provider is established in Romania) and the measures regulated by another Member State of the European Union where the Cloud Services Provider would be established. (29) Mainly, considering the particularities of data processing in the context of providing Cloud Services (especially the possible external location of data in relation to the Cloud Services Client) and the specific risks arising in this respect, in accordance with the point of view of Art. 29 Working Party, it is advisable for the Cloud Services Clients to ensure that there exist reasonable data security and safety measures regarding: (a) data availability in case of exceptional events with adverse effects likely to cause interruptions of data access (e.g., accidental loss of network connectivity of the Cloud Services Provider's equipments, decrease in the performance of the server used by the Cloud Services Provider as a result of attacks, power failures, etc.) - taking reasonable measures through providing the Cloud Services Client with timely access and in safe conditions, by alternative means; protecting data integrity against accidental or malicious alterations - implementation by the Cloud Services Provider of detection and / or intrusion prevention systems; (c) ensuring data confidentiality - e.g., ensuring data encryption during communications / transit and, if possible, during storage, imposing confidentiality obligations on the employees of the Cloud Services Provider and, where appropriate, of the subcontractors used by the latter; 15 Should an electronic communications services operator provide such services to the public through a cloud solution, the operator must also observe the legal requirements regarding the personal data procesing and privacy protection in electronic communications sector regulated by Directiva 2002/58/CE implemented thorugh Law 506/ Ombudsman Order No. 52/2002 for the approval of the Minimal security requirements for personal data processing. 10

11 (d) ensuring the possibility of identifying the operations made over time on data and documenting the taking of appropriate measures for ensuring data security - e.g., implementation of systems for recording operations performed on data, existence of procedures for various aspects such as recording the operations performed on data, access to data, etc. 7. WHICH FORMALITIES MUST BE FULFILLED FOR THE USE OF CLOUD SERVICES? (30) Next, we are presenting the main obligations of the Cloud Services Client of informing the data subjects about the processing of their data, ensuring a legitimate basis for data processing, notifying the data processing and, where appropriate, obtaining a data transfer authorization from the Supervisory Authority, in consideration of the provisions of Law No. 677/2001. (31) Other obligations provided by Law No. 677/2001, to the extent relevant in the context of using Cloud Services, are addressed in other sections of the Guide WHAT INFORMATION MUST BE PROVIDED TO THE PERSONS WHOSE DATA IS PROCESSED? (32) As data controller, the Cloud Services Client has the obligation to ensure the information of the data subjects in relation to the way their data is processed, in accordance with the minimum requirements provided by Art. 12 of Law No. 677/2001. (33) To ensure full information of data subjects, it is recommended for the Cloud Services Client to consult the Cloud Services Provider for obtaining relevant information related to the Cloud Services Provider's activity (the countries where the data is stored, the possibility of transfer to other states, the use or not of subcontractors, categories of personal data generated in the activity of Cloud Services Provider). The information must not concern only the processing of data in the context of using the Cloud Services, because the use of Cloud Services is not an end in itself. The information should be made considering the separate processing purposes determined by the Cloud Services Client (e.g., human resources, economic- financial and administrative management, sales, marketing, etc.) for which Cloud Services may be used. (34) Details concerning the minimum content requirements and a model information note may be found in Annex 1 of this Guide IS CONSENT REQUIRED FOR INCLUDING DATA IN CLOUD? (35) In accordance with Art. 7 of Directive 46/95/ EC, implemented through Art. 5 of Law No. 677/2001, the processing of simple personal data (other than special data) is conditioned by the existence of one of the legitimacy grounds, namely: (a) existence of unambiguous consent from the data subject; 11

12 (c) (d) (e) (f) (g) (h) the processing is necessary in order to perform a contract or pre-contract to which the data subject is party or in order to take certain measures, at the request thereof, before the conclusion of a contract or pre-contract; the processing is necessary to protect the life, physical integrity or health of the data subject or of another person threatened; the processing is necessary for the fulfillment of a legal obligation of the data controller; the processing is necessary in order to comply with measures of public interest or which concern the exercise of public authority prerogatives vested in the controller or in the third party to whom the data is disclosed; the processing is necessary in order to fulfill a legitimate interest of the controller or of the third party to whom the data is disclosed, provided that such interest is not damaging the interests or fundamental rights and freedoms of the data subject; the processing regards data obtained from publicly available documents, according to the law; the processing is performed exclusively for statistical, historical or scientific research, and the data remains anonymous throughout the processing. Among the grounds of legitimacy provided by law there is no hierarchy, any of them having the same value and any being equally valid and usable 17. (36) It is not strictly necessary for controllers to rely on the consent of the data subject if the processing is based on a different legal ground. In this context, of particular interest for Cloud Services is the situation of fulfilling a legitimate interest of the controller or of the third party to whom the data is disclosed, because the cloud's use is a recognized interest at the level of the European Union, including through the 2020 Digital Agenda. The issue of the legitimate interest of the controller according to Art. 7 (f) of Directive 95/46/EC has been the subject of Opinion No. 6/2014 of Art. 29 Working Party, 18 in accordance with which the sections below present some issues of interest and particularities for Cloud Services. We emphasize, in this context, that the considerations from this section concern strictly the hypothesis of grounding the use of the Cloud 17 There is no hierarchy among the legitimacy grounds provided by law, and it is not necessary that one or other of the grounds to be applied only as an exception. Please refer in this sense to Opinion 15/2011 (WP187) on the definition of consent of Art. 29 Working Party, p. 6, available at 18 Opinion 06/2014 (WP217) regarding the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC of Art. 29 Working Party, available at 29/documentation/opinion-recommendation/files/2014/wp217_en.pdf 12

13 Services on the legitimate interest and not the analysis of the legality of using this ground for the processing of the respective data ab initio by the controller. (37) Interest, as a general concept, refers to the stake or benefit that the controller may have in relation to the processing of personal data. The concept of interest has a wider sphere than that of the right (subjective) of the controller, not being regulated by law 19. Interest must be pursued by controller, meaning that it should be real and present, should correspond to current activities or benefits expected in the near future, which excludes from the scope of applicability of the ground analyzed the interests which are too vague or speculative. The nature of the interest may be extremely varied, having on an extreme interests serving society in general and on the other extreme interests serving exclusively the controller concerned. Nevertheless, not all interests are legitimate, but only those which: (a) (c) comply with the law, in the most general sense; are sufficiently described (specific); and represent a real and current purpose. (38) From this point of view, it appears that using a Cloud Service is not only an interest in general of a potential Cloud Services Client (lower cost, higher mobility, etc.), but it is even a legitimate interest since the using of a Cloud Service is not prohibited by law and is a specific interest, real and present. (39) However, not any legitimate interest may justify the processing of personal data on this ground, but this legitimate interest must be balanced against the fundamental interests and rights of the data subjects. It should be mentioned that, while the interests of the controller must be legitimate, the restriction of legitimacy is not regulated also in respect of data subjects, with regard to which all interests must be considered. (40) The extremes of the balancing test are relatively easy to identify, meaning that minor legitimate interests of the controller will prevail over the interests of the data subjects only if the impact over these interests is smaller, and the important legitimate interests may, depending on the protection measures adopted, justify even significant intrusions into the privacy of data subjects. Clearly, the hypothesis of using Cloud Services by the controller is situated between the two extremes, so that personal data processing grounded on the legitimate interest requires the performance by the potential Cloud Services Client of the mentioned balancing test. (41) The two main factors in the balancing test are the importance of the legitimate interest of the controller and the impact on the data subject. In terms of importance, considering the intention declared at European Union level to support and promote the adoption of Cloud Services, it may be presumed that the controller's interest is both legitimate and 19 For example, an employer has the interest of ensuring the good internal management of the business; the holder of a site the interest to obtain information about its visitors in order to improve the quality of their web browsing, etc. 13

14 important. To this general appreciation there may be added particular factors, which are related to the materialization of the benefits brought by the Cloud Services to the potential client. (42) With regard to the impact on the data subjects, a general solution is impossible to determine, as each separate Cloud Service and each separate option of the data controller may be translated into differences (sometimes significant) in what regards the impact on data subjects. Thus, while a Cloud Service in the context of which it is guaranteed by contract the fact that that the Cloud Services Provider does not have the right to reuse data and that any access to the data will be made either upon the request of the Cloud Services Client or as a result of a legal obligation but with appropriate information of the Client Cloud Services can be considered to bring only minor harm to the rights of the data subject, the same cannot be said about a service that does not ensure these safeguards. (43) As it can be seen, an important role in the analysis is that of the measures taken in order to reduce the impact on the rights and interests of the data subjects. The more safeguards implemented, the lower the impact will be classified. (44) Then, an important role in the analysis is played also by the category of the personal data concerned, namely whether they are or not sensitive data. In general, the more sensitive the data, the more likely it is for the interest of the data subject to prevail over the legitimate interest of the controller, unless the controller takes adequate safeguard measures. Measures that may reduce the impact on the data subjects include (without limitation) encryption, pseudonymisation, functional separation, "privacy by design", using technical solutions for ensuring data integrity and protection against unauthorized access (firewall, anti-spam, anti-virus etc.), the right of unconditional termination of the contract, data portability. (45) The purpose of regulating the legitimate interest ground is not to prohibit any negative impact on the data subjects, but only to limit the disproportionate impact on data subjects. As a result, the balancing test should be performed by every Cloud Services Client in part, in order to ensure that a clear determination is made regarding the data subjects, the category of personal data processed, the importance of its actual interest in using the Cloud Service, the potential impact on the data subject, if that impact is proportionate to the importance of the Cloud Services Client's interest, what safeguards are implemented or can be added so that to reduce a potential disproportionate impact. (46) To the extent that the result of the balancing test is that the impact on the data subject is not unjustifiably high considering the concrete legitimate interest of the Cloud Services Client, then the Cloud Services Client may use the legitimate interest ground for the processing of personal data, without requesting the express consent of the data subjects. 14

15 (47) The processing of special data, depending on the category to which they belong, is subject to the specific conditions provided by Art of Law No. 677/2001. Establishing the grounds of the processing (both for simple personal data and for special ones) does not eliminate the applicability of the other processing principles such as proportionality, accuracy or quality of the processed data, and does not relieve the controller of the fulfillment of all other obligations (informing the data subject, ensuring data security, etc) IS NOTIFICATION OF THE SUPERVISORY AUTHORITY REQUIRED? (48) As a rule, the Cloud Services Client, as personal data controller, has the obligation to notify the data processing in the context of the Cloud Services, except for the cases where one of the exemptions from the notification obligation applies. (49) The exemptions from the obligation to notify the processing of personal data are provided in Art. 22 of Law No. 677/2001, in Decision No. 90/2006 of the President of the Supervisory Authority, in Decision No. 100/2007 of the President of the Supervisory Authority and in Decision No. 23/2012 of the President of the Supervisory Authority 20. The processing of personal data in the context of the Cloud Services does not represent a purpose for the processing of personal data in and of itself and will be notified only along with the purpose for which the data is processed by means of the Cloud Services. If the data controller (the Cloud Services Client) has already registered in the Registry of Personal Data Processing Operations held by the Supervisory Authority a notification which covers the purposes for which the Cloud Services are being used, the filing of a separate notification will not be necessary. It will, however, be necessary to verify whether the current notification also covers the relevant details of the data processing in the context of the Cloud Services. (50) Annex 2 describes practical aspects regarding the way in which the processing performed by the Cloud Services Client in the context of contracting of the Cloud Services must be reflected in a current notification or in a new one IS IT NECESSARY TO OBTAIN AN AUTHORIZATION FROM THE SUPERVISORY AUTHORITY FOR THE TRANSFER OF THE DATA? (51) Insofar as the use of the Cloud Services involves a transfer of personal data from the Cloud Services Client to the Cloud Services Provider, the legal requirements and restrictions in the field of data transfer will apply. From this perspective, relevant are both the state whose nationality is borne by the Cloud Services Provider and the localization of the data center(s) where the latter stores the data. More specifically, pursuant to Art. 20 The decisions can be accessed at the address 15

16 29 of Law No. 677/2001, the transfer to another state of personal data that is the object of processing or is intended to be processed after the transfer may take place only while ensuring that the provisions of Romanian law are not breached and if the state to which the transfer is intended ensures an adequate level of protection. (52) As a rule, any personal data transfer to another state requires the preliminary notification of the Supervisory Authority but if the state to which the transfer is made is not recognized to ensure an adequate level of protection, the said transfer requires additionally also authorization from the Supervisory Authority. For exceptions from the authorization requirement, please refer to paragraph (59) below. (53) European Union member states are considered to offer an adequate level of protection due to the common regulatory framework, therefore authorization will not be required in the case of personal data transfer to these states. The same considerations apply also in the case of transfer to the other EEA member states: Iceland, Liechtenstein and Norway. (54) The European Commission recognized by decision an adequate level of protection for Andorra, Argentina, Australia, Canada (companies), Switzerland, Faeroe Islands, Guernsey, Israel, The Isle of Man, Jersey, New Zealand, Uruguay and for the Safe Harbor principles adopted by the United States Department of Trade 21. Consequently, if the Cloud Services Provider uses data centers in these states or, in the case of the United States of America, holds Safe Harbor certification, the said transfer will be exempted from the authorization requirement. In the case of transfer to a Cloud Services Provider which adhered to the Safe Harbor principles, the Cloud Services Client must ensure that the Safe Harbor certification covers both the purpose of the transfer and all categories of data processed on behalf of the Cloud Services Client. In the contrary case, the transfer must be authorized by the Supervisory Authority for the aspects not covered by the Safe Harbor certification. (55) When the authorization requirement applies, the Supervisory Authority will assess the level of protection offered, taking into account the entire circumstances in which the data transfer takes place, especially given the nature of the data transmitted, the purpose of the processing and the timeframe proposed for processing, the state of origin and final destination, as well as the legislation of the state of final destination. (56) The Supervisory Authority may authorize the transfer of personal data to a state whose legislation does not provide a level of protection at least equal to that ensured by the Romanian legislation when the Cloud Services Client offers sufficient safeguards with respect to the protection of individuals' fundamental rights, through the contract concluded with the Cloud Services Provider. If this contract is 21 See 16

17 concluded in accordance with the standard clauses provided in Decision 2010/87/EU 22, the protection level provided by the Cloud Services Provider is considered adequate, without an authorization from the Supervisory authority being necessary. [Note for ANSPDCP's consideration: To be discussed depending on the availability of the Supervisory Authority to modify Decision No. 28/2007 for the implementation of Art. 29 of Law No. 677/2001.] (57) The Supervisory Authority may, also, authorize the data transfer based on the binding corporate rules (Binding Corporate Rules - BCR) approved by a coordinating authority within the EU, after the analysis of the adequacy of the safeguards offered for the protection of the fundamental rights of the individuals. (58) When necessary as specified above, the authorization will be issued by the Supervisory Authority pursuant to the notification filed by the Cloud Services Client and the authorization will be issued upon completion of the notification formalities. (59) As an exception from the aforementioned authorization requirement, Law No. 677/2001 provides in Art. 30 several situations in which the transfer is always allowed, regardless of the level of protection offered, so that obtaining an authorization is no longer applicable: (a) (c) (d) (e) when the data subject expressly consented to the transfer; when it is necessary for the performance of a contract concluded between the data subject and the controller or for the implementation of certain pre-contractual measures taken pursuant to the request of the data subject; when it is necessary for the conclusion or performance of a contract that has been or will be concluded, in the interest of the data subject, between the controller and a third party; when it is necessary in order to serve a major public interest, such as national defense, public order or national safety, for the proper carrying out of the criminal trial or for the establishment, exercise or defense of a legal right in court, on the condition that the data is processed in relation to this purpose and not longer than necessary; when it is necessary to protect the life, physical integrity or health of the data subject; 22 Decision 2010/87/EU regulates the standard clauses for the transfer of personal data from controller to processor. If the Cloud Services Provider is itself a controller, the standard clauses that may apply between the parties are provided in Decision 2001/497/EC (set I), available at and Decision 2004/915//EC (set II), available at protection/document/international-transfers/files/clauses_for_personal_data_transfer_set_ii_c doc. 17

18 (f) when it occurs as a result of a prior request for access to official documents which are public or of a request for information which can be obtained from registries or from any other documents accessible to the public. (60) Of all the exemption situations regulated, the one that presents most interest from a practical perspective in the case of Cloud Services is the one in which the data subject explicitly consented to the transfer. In such case, it will no longer be necessary to obtain an authorization from for the Supervisory Authority for the transfer but the Cloud Client, as controller, should take into account the fact that using this exception may trigger practical difficulties, both with respect to obtaining informed consent (based on the preliminary provision of the minimum information required by Art. 12 of Law No. 677/2001) from each data subject separately, and with respect to the fact that the data subject could subsequently withdraw the consent. 8. HOW DO I CHOOSE A CLOUD SERVICES PROVIDER? (61) Considering that the fulfillment of the legal requirements in the field of personal data protection rests mainly with the Cloud Services Client, as emphasized by Art. 29 Working Party it is in its interest to choose a Cloud Services Provider that offers sufficient guarantees with respect to compliance with such requirements. The Cloud Services Client is liable for the way in which the Cloud Services Provider, as a processor for the controller, will process the personal data on behalf of the controller. (62) For this reason, the Cloud Services Client must pay particular attention when selecting the Cloud Services Provider. (63) The Cloud Services could make more difficult an actual direct control by the Cloud Services Client over the data which undergo processing and over the media and processes used for processing the data. For this reason, the Cloud Services Client must ensure that the Cloud Services Provider makes available all the information necessary to the Cloud Services Client to fulfill the notification formality applicable with respect to the processing of the personal data when using the Cloud Services. (64) Hereinafter below we are presenting: (a) the legal obligations of the Cloud Services Client which require the inclusion of mandatory provisions in the agreement for the supply of Cloud Services section 8.1; and the main legal obligations of the Cloud Services Client for the compliance with which it needs the active cooperation of the Cloud Services Provider and in relation to which it is advisable to include obligations upon the Cloud Services Provider section 8.2. (65) For the data protection formalities applicable to the Cloud Services Client and which also require the cooperation of the Cloud Services Provider by providing information, please refer to paragraph (83) below. 18

19 8.1. WHAT PROVISIONS ARE MANDATORY TO BE INCLUDED IN THE CLOUD SERVICES AGREEMENT? What are the mandatory clauses to be included in the agreement in all cases? (66) Considering the capacity of the Cloud Services Provider as a processor of the Cloud Services Client, it is mandatory to conclude a written agreement 23 imposing upon the Cloud Services Provider the following minimum legal obligations as per Art. 20 paragraph (5) of Law No. 677/2001: (a) the obligation to act only based on the instructions of the Cloud Services Client 24 ; and the obligation to implement the adequate technical and organizational measures for protecting the personal data against accidental or unlawful destruction, loss, unauthorized modification, disclosure or access as well as against any other form of unlawful processing. (67) It is sufficient that the agreement for the provision of the Cloud Services contains the two aforementioned obligations, irrespective of the form in which they are transposed (i.e., the undertaking by the Cloud Services Provider of the obligation to process the data only in the conditions agreed upon by the Cloud Services Client in the agreement; contractual section containing the data security standards undertaken by the Cloud Services Provider, etc.). (68) From a practical perspective, the instructions of the Cloud Services Client mentioned in Art. 20 paragraph (5) of Law No. 677/2001 may take the form of the rules regulated in the agreement for the provision of the Cloud Services (mainly in relation to the identification of the services to be provided, of the technical conditions, the contractual term, etc.) What clauses are mandatory in case the Cloud Services Provider uses subcontractors? (69) In accordance with to the interpretation of Art. 29 Working Party and the mechanism regulated at the level of the European Union by Decision of the European Commission 2010/87/EU 25, if the Cloud Services Provider uses subcontractors, the Cloud Services 23 In practice, many Cloud Services Providers, in particular those with international presence, publish the terms and conditions applicable to the Cloud Services on publicly available pages and include by reference the respective terms and conditions in the services agreement. For this reason, the reference herein to a written agreement must be understood lato sensu, as a reference to the agreed terms, irrespective of the form in which the contractual document is agreed upon (hard copy or online). 24 Optionally, for contractual safety, the parties may specify the way in which the Cloud Services Client can send instructions to the Cloud Services Provider. 25 Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council [notified under number C(2010) 593] 19

20 Client can meet its obligations provided in Art. 20 paragraph (5) of Law No. 677/2001 in two alternative ways: (a) either the Cloud Services Client concludes data processing agreements with such subcontractors, which would include the two legal provisions specified in paragraph (66), or without concluding a distinct agreement if the following cumulative conditions are met: (i) (ii) the Cloud Services Provider uses subcontractors only with the prior written consent of the Cloud Services Client. Considering the model regulated by Decision of the European Commission 2010/87/UE and the interpretation of Art. 29 Working Party, the prior written consent is considered obtained either by obtaining the written consent of the Cloud Client before using each subcontractor envisaged to be used by the Cloud Services Provider, or by meeting the following cumulative conditions: i.1) through the agreement concluded for the provision of the Cloud Services, the Cloud Services Client agreed to the use of subcontractors by the Cloud Services Provider; and i.2) the Cloud Services Clients are given the possibility to opt for being notified of the intention of the Cloud Services Provider to use a new subcontractor; and i.3) the Cloud Services Provider notifies in relation to the new subcontractor the Cloud Services Clients which opted to be consulted in this respect; and i.4) the Cloud Services Client did not express, supported by arguments, its opposition to the use of the respective subcontractor and/or did not terminate the agreement for this reason, within the term agreed upon contractually by the parties. The Cloud Services Provider concludes with the subcontractor a written contract whereby the latter undertakes the obligations provided by Art. 20 paragraph (5) of Law No. 677/ What clauses are mandatory in the case of data transfer to states which do not ensure an adequate level of protection of the data? (70) It is possible, in the context of the Cloud Services, to have personal data transferred to states not recognized by the European Commission as ensuring an adequate level of data protection. The transfer may be permitted either on the basis of an authorization of the Supervisory Authority or on the basis of a contract that includes the Standard Contract Clauses (Processors) adopted by the European Commission through Decision of the 20

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion

Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Page 1 sur 155 Proposal of regulation Com 2012 11/4 Directive 95/46/EC Conclusion Legal nature of the instrument Règlement Directive Directly applicable act in internal law 91 articles 34 articles Art.

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

PRESIDENT S DECISION No. 40. of 27 August 2013. Regarding Data Protection at the European University Institute. (EUI Data Protection Policy) PRESIDENT S DECISION No. 40 of 27 August 2013 Regarding Data Protection at the European University Institute (EUI Data Protection Policy) THE PRESIDENT OF THE EUROPEAN UNIVERSITY INSTITUTE, Having regard

More information

Code of Conduct. Corporate Data Protection. We make ICT strategies work

Code of Conduct. Corporate Data Protection. We make ICT strategies work Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT 2300 Pursuant to its authority from Article 59 of the Rules of Procedure of the Croatian Parliament, the Legislation Committee determined the revised text

More information

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

Data protection compliance checklist

Data protection compliance checklist Data protection compliance checklist What is this checklist for? This checklist is drawn up on the basis of analysis of the relevant provisions of European law. Although European law aims at harmonizing

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Data Protection Standard

Data Protection Standard Data Protection Standard Processing and Transfer of Personal Data in Aker Solutions (Binding Corporate Rules) Aker Solutions www.akersolutions.com Table of contents 1 Introduction... 3 1.1 Scope... 3 1.2

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

The Romanian Parliament adopts the present law. Chapter I: General Provisions

The Romanian Parliament adopts the present law. Chapter I: General Provisions Law No. 677/2001 on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, amended and completed The Romanian Parliament adopts the present law.

More information

on the transfer of personal data from the European Union

on the transfer of personal data from the European Union on the transfer of personal data from the European Union BCRsseptembre 2008.doc 1 TABLE OF CONTENTS I. PRELIMINARY REMARKS 3 II. DEFINITIONS 3 III. DELEGATED DATA PROTECTION MANAGER 4 IV. MICHELIN GROUP

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully.

Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. LEGAL TERMS AND PRIVACY POLICY Welcome to our job search and application platform (the Platform ). Please read our Legal Terms (which includes our Privacy Policy) carefully. The Platform is accessible

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person. PART I: INTRODUCTION AND BACKGROUND Purpose This Data Protection Binding Corporate Rules Policy ( Policy ) establishes the approach of Fluor to compliance with European data protection law and specifically

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

Personal Data Act (1998:204);

Personal Data Act (1998:204); Personal Data Act (1998:204); issued 29 April 1998. Be it enacted as follows. General provisions Purpose of this Act Section 1 The purpose of this Act is to protect people against the violation of their

More information

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 paolo.balboni@bakernet.com Introduction & Structure ENISA Working Group

More information

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students University of Liverpool Online Programmes - Privacy Policy for Visitors and Students PLEASE NOTE: The following privacy terms relate to the University of Liverpool s online programmes and not The University

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

CROATIAN PARLIAMENT 1364

CROATIAN PARLIAMENT 1364 CROATIAN PARLIAMENT 1364 Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the DECISION PROMULGATING THE ACT ON PERSONAL DATA PROTECTION I hereby promulgate the Act on

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of. Opinion on a Notification for Prior Checking received from the Data Protection Officer of the European Training Foundation Regarding the Processing Operations to Manage Calls for Tenders Brussels, 22 April

More information

Cloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing

Cloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing Infopreneurship Journal (IJ) Available online at www.infopreneurship.net Infopreneurship Journal (IJ), 2013, Vol.1, No.1 Cloud Computing and Risk: A look at the EU and the application of the Data Protection

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING

More information

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper The transfer of personal data to third countries and international organisations by EU institutions and bodies Position paper Brussels, 14 July 2014 1 Executive summary This paper provides guidance to

More information

Cloud Computing Legal Considerations for Data Controllers

Cloud Computing Legal Considerations for Data Controllers Cloud Computing Legal Considerations for Data Controllers CLOUD COMPUTING LEGAL CONSIDERATIONS FOR DATA CONTROLLERS What is cloud computing and why is it relevant? Cloud computing can be described as technology

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

ATMD Bird & Bird. Singapore Personal Data Protection Policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:

More information

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

A list of CIArb subsidiaries relevant to this notice and their activities is set out below. CHARTERED INSTITUTE OF ARBITRATORS DATA PRIVACY NOTICE INTRODUCTION This data protection notice explains what personal data will be collected by the Chartered Institute of Arbitrators and its subsidiary

More information

Follow the trainer s instructions and explanations to complete the planned tasks.

Follow the trainer s instructions and explanations to complete the planned tasks. CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures

More information

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG

More information

Comments and proposals on the Chapter II of the General Data Protection Regulation

Comments and proposals on the Chapter II of the General Data Protection Regulation Comments and proposals on the Chapter II of the General Data Protection Regulation Ahead of the trialogue negotiations in September, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Preamble The highest level of personal data protection is particularly important for KCG Partners Law Firm. The purpose of this Data Protection Policy is to inform the visitors

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

DRAFT BILL. The PRESIDENT OF THE REPUBLIC To be known that the National Congress decrees and I sanction the following Law.

DRAFT BILL. The PRESIDENT OF THE REPUBLIC To be known that the National Congress decrees and I sanction the following Law. DRAFT BILL Provides for the processing of personal data 1 to guarantee the free development of the natural person's personality and of its dignity. The PRESIDENT OF THE REPUBLIC To be known that the National

More information

PRIVACY AND DATA SECURITY MODULE

PRIVACY AND DATA SECURITY MODULE "This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

An overview of UK data protection law

An overview of UK data protection law An overview of UK data protection law Our team Vinod Bange Partner +44 (0)20 7300 4600 v.bange@taylorwessing.com Graham Hann Partner +44 (0)20 7300 4839 g.hann@taylorwessing.com Chris Jeffery Partner +44

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

FRANCE. Chapter XX OVERVIEW

FRANCE. Chapter XX OVERVIEW Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

Microsoft Online Services - Data Processing Agreement

Microsoft Online Services - Data Processing Agreement Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of

More information

INERTIA ETHICS MANUAL

INERTIA ETHICS MANUAL SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:

More information

Directive. for the transfer of personal data. to third countries outside the EEA

Directive. for the transfer of personal data. to third countries outside the EEA Directive for the transfer of personal data to third countries outside the EEA (Munich Re reinsurance group directive on third-country data transfer) Information correct at 1 July 2013 - 2 - Contents 1

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Privacy Policy for Data Collected by Blue State Digital s Clients

Privacy Policy for Data Collected by Blue State Digital s Clients Privacy Policy for Data Collected by Blue State Digital s Clients Blue State Digital LLC. ("Blue State Digital", BSD or "we") provides various services to nonprofits and business entities ("Clients"),

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION Antonia Paniza-Fullana Civil Law University of Balearic Islands Abstract. Several practical issues

More information

eprivacyseal GmbH Criteria catalogue EU November 2013

eprivacyseal GmbH Criteria catalogue EU November 2013 eprivacyseal GmbH Criteria catalogue EU November 2013 The EPS data privacy seal certifies for the respective applicant that its product or service is in line with the detailed criteria in the following

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

I. EBF KEY PRIORITIES. A. Data breach notification

I. EBF KEY PRIORITIES. A. Data breach notification D1391E-2012 29.10.2012 EUROPEAN BANKING FEDERATION PROPOSED AMENDMENTS TO THE EUROPEAN COMMISSION PROPOSAL FOR A REGULATION ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER

SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001 IN RELATION TO THE DATA PROTECTION OFFICER 10 September 2009 page 1 / 8 SUPPLEMENTARY INTERNAL RULES IMPLEMENTING REGULATION (EC) N 45/2001

More information