GDPR & Cloud Providers Keynote Presentation
|
|
- Hollie Mason
- 8 years ago
- Views:
Transcription
1 Cloudscape VII 9 March 2015 GDPR & Cloud Providers Keynote Presentation Kuan Hon Research Consultant, Cloud Legal Project & MCCRC Centre for Commercial Law Studies Queen Mary, University of London w.k.hon@qmul.ac.uk
2 INTRODUCTION
3 Data Protection Directive recap Controller legally-obliged to comply with data protection ( DP ) principles in processing personal data ( PD ) + rules for special category sensitive data eg health May use processor incl. cloud provider must choose processor providing sufficient guarantees re. security measures + written contract ( instructions, security ) + ensure compliance Direct processor obligations few Member States ( MS )
4 GDPR progress Commission - draft General Data Protection Regulation ( GDPR ) 2012 & crime / law enforcement Directive European Parliament different version - Mar 2014 Council - yet another version being debated - Dec 2014 nothing is agreed until everything is agreed ( PGA ) EU institutions must agree same text before GDPR can become law flowchart Moving target!! + 2 years after adoption Regulation not Directive though discretion, ambiguity
5 Commission proposal 17/7/1990 Comparative legislative timeline Parliament 1st reading 95 amendments 11/3/1992 Commission amended proposal 15/10/1992 Council Common Position - amendments 20/2/1995 Parliament 2nd reading - amendments 15/6/1995 DPD adopted 25/10/ Data Protection Directive Commission proposal 25/1/2012 Parliament 1st reading 207 amendments 12/3/2014 Council 1st reading - amendments inevitable!??? GDPR adopted?? Draft General Data Protection Regulation 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph.
6 Cloud providers often processors May use sub-processors layered services eg SaaS on IaaS / PaaS, PaaS on IaaS Current laws 1970s outsourcing ( 12Cs, 9Ds ): delivery, processors intelligible access, active processing as per controller s instructions encryption: provider doesn t know whether PD infrastructure - not active / instructions / knowledge o IaaS, PaaS, pure storage SaaS controller self-service o provider won t know if PD without looking, even unencrypted direction sub-processors & layered cloud commoditised, shared infrastructure cf customised GDPR would perpetuate 1970s assumptions 6
7 PROCESSORS UNDER GDPR
8 Direct processor obligations If processing PD in context of activities of establishment in EU like current controller establishment test o DCs?; establishment, context very broad ( Google Spain ) Parl incl non-eu processing If processing activities related to offering goods / services to DS in EU or monitoring them Parl + processors; free All - even if processing exempt - personal ( SNS / ); crime / national security?
9 Processor s main establishment For one stop shop purposes ie which MS s lead regulator if multiple MSs Council next week? Place of central administration in EU Council if none, EU establishment where main processing activities in EU occur ( DCs? ) Parliament EU establishment where main decisions on purposes o If no EU establishment?
10 Liability: involved, unlawful processing Processors ( sub-processors, DC providers? ) liable for entire amount of damage ( controller fault? ) o unless written allocation ( Parl ); recourse claims ( Council ) incompatible : strict liability. Council: non-compliance may ( cf must ) be exempted if prove it s not responsible for the event - eg DS / force majeure role of seal etc ( later ) Processors princelier pockets? analogy: chaffeur limo service vs rental ( carmakers? )
11 DPA powers over processors Same as over controllers extensive powers Processor must cooperate - info, orders etc Audit powers, access to premises ( on-site inspections ) though Google agreed to allow DPA Italy US premises (summary, order, approval ) Fines up to 5% annual worldwide turnover or 100m if greater ( Parl )
12 Requirements when using processors Controller must - choose processor providing sufficient guarantees to implement appropriate tech/org measures in such a way that the processing will meet GDPR o compliance with GDPR > security / instructions o sufficient guarantees - code / certification ( Parl, Council ) ensure compliance ( deleted by Council ), and implement contract with certain terms ( next ) NB Art. 17 processor agreements not continued: no grandfathering! Redo all ( not just cloud )! What if no controller personal use of cloud service?
13 Processor contract terms 1 Written contract ( >> current requirements ) subject-matter, duration, nature & purpose, type of personal data and categories of data subjects, rights of controller ( Council ) prying processors instructions o but cloud. self-service infrastructure use employ only staff under confidentiality obligations security measures ( later ) sub-processors ( soon ) DS requests unclear, Council assist ( but cloud? )
14 Processor contract terms 2 assist controller to ensure compliance o re. security, breach notification, DPbD/D, DPIA, prior authorisation / consultation how far? commoditised cloud data delivery at end, not process otherwise o deletion unless EU law requires retention Parl info to controller to show compliance ( & allow onsite inspection Parl / audits Council cloud? ) processor as police! self-service cloud?? GDPR ( non-contractual ) obligation to immediately inform the controller if, in his opinion, an instruction breaches this Regulation or Union or Member State data protection provisions - Council
15 Sub-processors Enlist iff prior controller consent ( vs direction? ) Different Parl & Council formulations - unclear Sub-processor contracts or other legal act under EU law must impose same obligations for sufficient guarantees Council code / certification including standard Commission / DPA standard clauses - an element to demonstrate sufficient guarantees
16 Security 1 Controllers may process PD for NIS reasons extent strictly necessary legit. interest gap controllers only Security of processing tech & org measures to ensure security level appropriate to risks, with regard to state of the art, costs + DPIA Parl; + available tech, nature etc of processing, likelihood / severity of risk - Council C & I ( implicitly A ) o explicit with Parl: security policy + resilience, restoration; sensitive PD: measures to ensure situational awareness of risks, ability to take near real time action; regular testing Commission power to specify security requirements o deleted by Parl & Council ( ENISA role? )
17 Security 2 certifications / codes of conduct may be used as an element to demonstrate compliance Risk evaluation to assess appropriate security level variations between Parl and Council cloud - commoditised mixed use infrastructure prying processors, customisation, HCD? ( cost ) Processor directly sliable for security breach including personal use, no controller o if user s bad password? prove not responsible o NB personal user could process own PD, other people s
18 Risk analysis, DPIA, prior consultation Parl risk analysis to check if specific risks likely controller, or, where applicable the processor o when applicable? prying processors, again? cf commoditised cloud including > 5k data subjects in 12 mths; sensitive data, location data, data on children or employees in large scale filing systems ; profiling; core activities require regular & systematic monitoring Controller s DPIA / prior DPA consultation - profiling, etc or processor on controller's behalf o when? ( not for prior consultation - Council ) processor should assist controller where necessary and upon request - comply with obligations deriving from DPIA / prior consultation ( Council recital ) - cf commoditised cloud?
19 Data protection officer Controller and processor must appoint if processing by public sector body processing by org. >= 250 employees ( processor? ) o Changed to > 5k DS in 12 mths Parl core activities of controller or processor nature requires regular & systematic monitoring of DS o + core activities sensitive data, location data, data on children or employees in large scale filing systems Parl unclear - must processor appoint if controller is public sector etc? ( prying processor ) or, MS decision whether to require DPO Council 19
20 ( Parl. R. 75a) at least the following qualifications extensive knowledge of the substance and application of data protection law, including technical and organisational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation The designation as a data protection officer does not necessarily require fulltime occupation
21 Other processor obligations Transfers ( restriction on PD exports unless adequate protection / safeguards ) - processors no own decision; legitimate interests but not if frequent / massive / (Parl) structural / repetitive; protection through law only ( eg contract ), not technology; anti-fisa clause ( Parl ); processor BCRs ( Parl would exclude ) see eg A4Cloud paper DP by design / default - tech / org measures, at design & use stages, to ensure / show compliance with DP principles + processors & public procurement tenders ( Parl ) Record-keeping requirements
22 Codes & certifications / seals Council - DPA-approved industry code / certification may help demonstrate compliance ( as an element ) - processor sufficient guarantees ( Parl too ), security, DPIA etc Detailed certification procedures, role of DPAs, accreditation of certification bodies, auditors - Council Approved codes; not certification but DPA-awarded European Data Protection Seal Parl EDP seal - shield against fines if non-intentional, non-negligent Iff legally enforceable [ by DS ]? ( Council ) Legal consequences? incl. liability incentives, certifiers / accreditors, erroneous certificates, comply with code but breach, etc
23 Issues cloud-inappropriate? Encrypted data, infrastructure providers still caught Google Spain mixed data Liability risk ( no intermediary defence? ) Council would exclude E-Commerce Directive application Unclear responsibility allocation ( controller & processor ) Often controller or processor either, both, when? Net cast very wide; obligations too in some cases Processing related to offering goods etc, EU data centres? Customisation required? eg security Access to premises controllers, DPAs ( Intelligible access, instructions vs use / disclosure, vs infrastructure cloud, commoditised cloud )
24 Practical implications Cloud providers & other ( sub ) processors - contract terms liability allocation, indemnities etc ( & seek fault-based? ) Could non-eea providers raise all prices - or refuse if EEA, PD etc? ( & if customer lies?? ); close EEA ops, free consumer services; stop using EEA DCs? impact on innovation / services needs considered policy decision Or, will laws just be ignored, if too wide? Enforceability ( outside EEA )? DPA resources? But huge fines Big players may be the winners required contract terms ( incl sub-processors ); security, etc Codes & certifications much increased role Clarification which processor obligations apply when, scope, liability; certifications / codes
25 ARE WE THERE YET?
26 Rough scale of data protection legislation DPD (1990) No. of articles No. of recitals No. of pages DPD (1995) GDPR (2012) Note: no. of pages of legislative text are from English PDF versions excluding explanatory text Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 26
27 European Parliament: how many amendments? 3999 Proposed by Committees Approved by Parliament (1st reading) Number of amendments 363 DPD GDPR 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 27
28 30 How many EU Member States involved? Initial proposal 20 Parliament 1st reading Council 1st reading Parliament 2nd reading 10 1 Jan 1995: Austria, Finland and Sweden joined 1 July 2013: Croatia joined 5 0 Number of EU Member States DPD GDPR 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 28
29 700 Council of the EU: how many footnotes? /94 (12/10/1994 ) /94 (30/11/1994) 11013/13 (21/6/2013) /14 (30/6/2014) /14 (19/12/2014) Number of footnotes DPD GDPR From consolidated draft versions considered in Council. The number of footnotes is used as a rough measure of the extent of Member State issues, because most ( though not all ) footnotes contained reservations or similar statements by Member States or the Commission 2015 Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 29
30 DPD vs GDPR summary Vital statistics DPD (1990): 33, 24, 27 DPD (1995): 34, 72, N/A GDPR: 91, 139, 82 Order: Arts, Rec, pgs No. of Member States DPD: GDPR: Parliament Committee amendments proposed DPD: 363 GDPR: 3999 Council no. of footnotes in consolidated text DPD: 87 (2 yrs. on) 60 (2+ yrs. on) GDPR: 509 (1.5 yrs. on) 584 (2.5 yrs. on) 497 (3 yrs. on) Parliament amendments approved in 1 st reading DPD: 95 GDPR: 207 Timing DPD: > 5 yrs. GDPR: 3 yrs Kuan Hon kuan0.com. You may copy/use this diagram under a CC BY 2.0 UK licence retaining the attribution in this paragraph. 30
31 Thanks for listening! cloudlegalproject.org mccrc.eu kuan0.com blog.kuan0.com
GDPR & Service Providers ( Cloud Focus )
OASIS / EEMA Digital Enterprise Europe 2015 Building Trust in the Hyperconnected World 8 July 2015 GDPR & Service Providers ( Cloud Focus ) Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft Cloud
More informationCloud Security under the EU Data Protection Directive and draft General Data Protection Regulation
ENISA EU28 Cloud Security Conference 16 June 2015 Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft
More informationCloud Security under Forthcoming Laws
SecureCloud 2016 25 May 2016 Cloud Security under Forthcoming Laws Kuan Hon kuan.hon@pinsentmasons.com k@kuan0.com The laws, they are a-changin Cloud security under General Data Protection Regulation Proposed
More informationCloud Data Protection Fitness - A Workout
Cloudscape 2016 8 March 2016 Cloud Data Protection Fitness - A Workout Dr Kuan Hon k@kuan0.com kuan.hon@pinsentmasons.com General Data Protection Regulation Adoption 2016? Jurists / linguists to finalise
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationLIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS
LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible
More informationEU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014
EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate
More informationMulti-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015
Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationResponse to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012
Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals Cloud Legal Project 17 August 2012 1. This response is by Christopher Millard, Alan Cunningham and
More informationCloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL
Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)
More informationWelcome & Introductions
Addressing Data Privacy and Security Compliance in Cloud Computing Benjamin Hayes, Director of Legal Services, Data Privacy Compliance North America Accenture Copyright 2011 Accenture All Rights Reserved.
More informationData and Cyber Laws Up-date 9 July 2015
Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationData Protection and Cloud Computing: an Overview of the Legal Issues
Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationThe reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012
The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive
More informationResponse to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals
Response to the UK Ministry of Justice s Call for Evidence on the European Commission s Data Protection Proposals Cloud Legal Project, Queen Mary, University of London This response is made by Christopher
More informationComments and proposals on the Chapter IV of the General Data Protection Regulation
Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationOUTSOURCING, HOSTING AND DATA PRIVACY ISSUES
OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with
More informationOPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)
OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationApplication of Data Protection Concepts to Cloud Computing
Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationData Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015
Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?
More informationFinancial Advisers (Amendment) Bill
Financial Advisers (Amendment) Bill Bill No. 15/2015. Read the first time on 11 May 2015. A BILL intituled An Act to amend the Financial Advisers Act (Chapter 110 of the 2007 Revised Edition). Be it enacted
More informationInhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationFirm Registration Form
Firm Registration Form Firm Registration Form This registration form should be completed by firms who are authorised and regulated by the Financial Conduct Authority. All sections of this form are mandatory.
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationInto the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?
10 Juni 2013 Taylor Wessing - Essay Competition 2013 Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users? by Katarina Kesselová, LLM. Introduction
More informationA guide for in-house lawyers
A guide for in-house lawyers June 2015 The Proposed EU General Data Protection Regulation Index Introduction to the Regulation - 3 Progress of the Regulation - 4 Using this Guide - 5 Conceptual Overview
More informationWhite paper. The Essential Guide to the EU Data Law Changes. your technology, expertly marketed
White paper The Essential Guide to the EU Data Law Changes This guide explains exactly what the EU Data Protection Regulation is and how it will change life as we know it when it comes into enforcement
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
More informationDean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage
Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationThird European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing
Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationMapping of outsourcing requirements
Mapping of outsourcing requirements Following comments received during the first round of consultation, CEBS and the Committee of European Securities Regulators (CESR) have worked closely together to ensure
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationWhite Paper: Data Protection In The Cloud. Data Protection In The Cloud
White Paper: Data Protection In The Cloud Data Protection In The Cloud Introduction The rapid emergence of cloud computing has placed it at the forefront of IT decision making and business strategies.
More informationPosition of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015
2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection
More informationInformation Security Risks when going cloud. How to deal with data security: an EU perspective.
Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationData Retention and Investigatory Powers Bill
Data Retention and Investigatory Powers Bill CONTENTS Retention of relevant communications data 1 Powers for retention of relevant communications data subject to safeguards 2 Section 1: supplementary Investigatory
More informationData Protection for Charities
Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent
More informationSummary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL
Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined
More informationKey privacy / data protection questions
Illuminating the Cloud: the What, Who and Where of Privacy Compliance Professor IAPP Europe Data Protection Intensive, London, April 2012 Key privacy / data protection questions What information in clouds
More informationData transfers in the Cloud
Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and
More informationOffshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider
Elisabeth P.M. Thole A case study under Dutch law from the perspective of an IT provider In February 2006 Widmer and Nair described the data protection issues in the context of outsourcing from the Swiss
More informationslaughter and may The new EU Data Protection Regulation revolution or evolution?
slaughter and may The new EU Data Protection Regulation revolution or evolution? BRIEFING April 2012 Reform of Europe s data protection regime moved one step closer this January with the publication of
More informationThe Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper
The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation 1. Introduction Initial Discussion Paper The data protection officer ( DPO )
More informationUNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY
UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,
More informationThe European General Data Protection Regulation. A guide for the insurance industry
The European General Data Protection Regulation A guide for the insurance industry IMPORTANT NOTE: This guide is based on the politically agreed compromise text agreed by the European Commission, EU Parliament
More informationThe Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems
Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted
More informationHow To Understand The Legal Background Of Cloud Computing
BCS Advanced Programming SG 8 November 2012 Cloud Computing The Legal Background Kuan Hon Consultant, Cloud Legal Project Centre for Commercial Law Studies Queen Mary, University of London http://cloudlegalproject.org
More informationCOMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document
EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationSecurity incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule)
Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) DPO meeting 8 May 2015 Mario Guglielmetti Legal officer Unit Supervision and Enforcement
More informationPrivacy Level Agreement Outline for the Sale of Cloud Services in the European Union
Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationAN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING
AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in
More informationImpact of EU General Data Protection Regulation
Impact of EU General Data Protection Regulation A White Paper Thursday 15 October 2015 The law stated is correct as of this date. This does not constitute legal advice and it is highly recommended to seek
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationData Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document
Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1
More informationDraft GDPR and health-related scientific research: Where do we stand with the EU Council?
Draft GDPR and health-related scientific research: Where do we stand with the EU Council? Gauthier Chassang, Lawyer BIOBANQUES Infrastructure, INSERM US013, France Data Protection for health: Enabling
More informationTerms and Conditions of Offer and Contract (Works & Services) Conditions of Offer
Conditions of Offer A1 The offer documents comprise the offer form, letter of invitation to offer (if any), these Conditions of Offer and Conditions of Contract (Works & Services), the Working with Queensland
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationInsurance Europe key messages on the European Commission's proposed General Data Protection Regulation
Position Paper Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT-12-064 Date: 3 September 2012 Related documents: Proposal for
More informationAcquia Comments on EU Recommendations for Data Processing in the Cloud
Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing
More informationSummary of Data Protection Requirements When transferring Data Outside the UK End Users
Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationData protection legislation influence on cloud computing from local as well as EU perspective
mag. Andrej Tomšič Deputy Information Commissioner Information Commissioner Data protection legislation influence on cloud computing from local as well as EU perspective CLASS conference 2012 I Cloud Assisted
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More information1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party).
CONTRACT MANAGEMENT PROCEDURE Section Risk Management Contact Risk Manager Last Review February 2013 Next Review February 2016 Approval Not required Procedures Contract Initiation Request Mandatory Guidance
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationStandard conditions of purchase
Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out
More informationCommission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal Data
International Chamber of Commerce The world business organization Department of Policy and Business Practices Commission on E-Business, IT and Telecoms Task Force on Privacy and the Protection of Personal
More informationData Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana
Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act
More informationOSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data
OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas
More informationPrivacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they
More informationPRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide
PRACTICAL LAW MULTI-JURISDICTIONAL GUIDE 2012/13 The law and leading lawyers worldwide Essential legal questions answered in 30 key jurisdictions Analysis of critical legal issues AVAILABLE ONLINE AT WWW.PRACTICALLAW.COM/DATAPROTECTION-MJG
More information