LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

Size: px
Start display at page:

Download "LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS"

Transcription

1 LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS This document is a rough draft aiming at presenting key provisions, current clauses used in Cloud computing contracts and first drafts on possible clauses templates. The only goal of this draft is to open discussions on this issue. NB: the boxed sections present key points and core elements of this proposal offering the possibility of a short version reading (less than 3 pages). Regarding the tight schedule, reporters propose to focus the debate on the boxed sections presented on this page, at the end of section II and on section III (other comments could be sent in writing before the meeting). Key points to be discussed: 1/ Should we envisage a clause of de facto requalification of the CSP in "(joint-) controller" whenever the customer has no real possibility to give instructions to the CSP? Or do customers remain liable because of their prior and free choice of a CSP (meaning they will have to check whether effective procedures to monitor instructions are provided or not)? 2/ Should we consider that CSP s qualification in (joint-) controller or processor entails two distinct sets of contractual clauses on "liability" (i.e. CNIL s choice in 2012)? 3/As WP29 pointed it out in 2010, should we consider that significant contractual imbalance (due to adhesion contracts for instance or to the absence of any free and prior negotiation) does not lead to the qualification of the CSP as a ( joint-)controller? 4/ Would it be better to consider the parties are totally free to distribute responsibilities in the contract or that, in specific cases, specific recommendations should be issued (e.g. regarding security control in SAAS services for instance, the CSP could qualify as «jointcontroller» unless he demonstrates that he provides adequate tools to take customers instructions into account)? 5/ Should we endorse a double set of clauses (proposed in this document) according to the fact that the contract is either an adhesion or a freely negotiable one? 6/ Should we envisage CSPs and customers could be severally liable or only jointly liable? Or should we consider that only the parties to the contract can freely state on this point? 7/ Should the final version of the templates include an obligation, for CSPs, to be able to produce specific documentation (art 28 draft regul.) as to benefit from an exemption of liability? Or should we consider this is an extra-contractual topic (that only ought to be handled by DPAs)? In other words, should accountability be contractually framed? 8/ Should we identify a clause template concerning CSPs security «basic safeguards»? 9/ How the Commission could incent customers and CSPs to use this set of clauses? What specific incentives could be designed? 10/ Should we promote a clause determining that an annex to the contract will provide a «mapping» of processing for which CSP qualifies as processor and those for which he qualifies as a controller or a co-controller? 11/ Should those templates keep on being recommended, as good practices, even is the customer enters the scope of the household exemption? 1

2 I- PROBLEMS RELATED TO LIABILITY FOR NON COMPLIANCE I-1- EXAMPLES OF EXISTING CONTRACT CLAUSES (X= the CSP concerned) II-1-a Example of IAAS service 3. Security and Data Privacy. 3.1 X Security. Without limiting Section 10 or your obligations under Section 4.2, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure. 3.2 Data Privacy. We participate in the safe harbor programs described in the Privacy Policy. You may specify the X regions in which Your Content will be stored and accessible by End Users. We will not move Your Content from your selected X regions without notifying you, unless required to comply with the law or requests of governmental entities. You consent to our collection, use and disclosure of information associated with the Service Offerings in accordance with our Privacy Policy, and to the processing of Your Content in, and the transfer of Your Content into, the X regions you select. [ ] 4. Your Responsibilities 4.1 Your Content. You are solely responsible for the development, content, operation, maintenance, and use of Your Content. For example, you are solely responsible for: (a) the technical operation of Your Content, including ensuring that calls you make to any Service are compatible with then-current APIs for that Service; (b) compliance of Your Content with the Acceptable Use Policy, the other Policies, and the law; (c) any claims relating to Your Content; and (d) properly handling and processing notices sent to you (or any of your affiliates) by any person claiming that Your Content violate such person s rights, including notices pursuant to the Digital Millennium Copyright Act. Main observation: Implicitly, X qualifies itself as processor but keeps control on data storage. Positive points: X complies with Article 17-3 of Directive 95/46 + location of the data centre seems to be under control of the customer (but is this wish binding X, considering that X does not agree to keeping the Content exclusively in the selected regions but only not to move it to another region without notifying the Customer?). Negative points: There is no explicit qualification of the CSP + Transfers are presented as covered by Safe Harbor without further specifications + X seems to keep control over the location of data as it just states that it will previously notify location changes to the customers + Access law enforcement is not framed. I-1-b Example of PAAS service 3.2. Protection of Your Data. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data, as described in the Documentation. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Your Data by Our personnel except (a) to provide the Purchased Services and prevent or address service or 2

3 technical problems, (b) as compelled by law in accordance with Section 8.3 (Compelled Disclosure) below, or (c) as You expressly permit in writing. [ ] 4.3 Your Responsibilities. You will (a) be responsible for Users compliance with this Agreement, (b) be responsible for the accuracy, quality and legality of Your Data and the means by which You acquired Your Data, (c) use commercially reasonable efforts to prevent unauthorized access to or use of Services and Content, and notify Us promptly of any such unauthorized access or use, (d) use Services and Content only in accordance with the Documentation and applicable laws and government regulations, and (e) comply with terms of service of Non-X.com Applications with which You use Services or Content. Main observation: Implicitly, X qualifies as data processor. Positive points: X complies with Article 17-3 of Directive 95/46 + a comprehensive documentation seems to be provided to help the customer to be aware of its obligations Negative points: There is no explicit qualification of the CSP + there are no specifications on international data transfers + the first exception (a) provided in Article 3.2 is ambiguous as it could refer either to the data processed (CSPs don t have to access) or basic operational data. I-1-c Example of SAAS service 1. Services 1.1 Facilities and Data Transfer. All facilities used to store and process Customer Data will adhere to reasonable security standards no less protective than the security standards at facilities where X stores and processes its own information of a similar type. X has implemented at least industry standard systems and procedures to ensure the security and confidentiality of Customer Data, protect against anticipated threats or hazards to the security or integrity of Customer Data and protect against unauthorized access to or use of Customer Data. As part of providing the Services X may transfer store and process Customer Data in the United States or any other country in which X or its agents maintain facilities. By using the Services Customer consents to this transfer, processing and storage of Customer Data. 2.3 Customer Administration of the Services. Customer may specify one or more Administrators through the Admin Console who will have the rights to access Admin Account(s) and to administer the End User Accounts. Customer is responsible for: (a) maintaining the confidentiality of the password and Admin Account(s); (b) designating those individuals who are authorized to access the Admin Account(s); and (c) ensuring that all activities that occur in connection with the Admin Account(s) comply with the Agreement. Customer agrees that X's responsibilities do not extend to the internal management or administration of the Services for Customer and that X is merely a data-processor Effects of Termination. If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) X will provide Customer access to, and the ability to export, the Customer Data for a commercially reasonable period of time at X s then-current rates for the applicable Services; (iii) after a commercially reasonable period of time, X will delete Customer Data by removing pointers to it on X s active servers and overwriting it over time; and (iv) upon request each party will 3

4 promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party. If a Customer on an annual plan terminates the Agreement prior to the conclusion of its annual plan, X will bill Customer, and Customer is responsible for paying X, for the remaining unpaid amount of Customer s annual commitment. Main observation: X qualifies explicitly as data processor, but the customer has few powers with regard to defining and controlling the manner in which the processing takes place. Positive points: X specifies the roles of the service provider (processor) and of the customer, which is not qualified as controller but has a set of rights and obligations regarding personal data defined in the agreement. Negative points: Although X qualifies itself as a processor, it retains near full discretion with regard to the means of processing + X makes no particular specification/effort to comply neither with Article 17-3 of Directive 95/46 nor Article 6-1-e. I-2- CONTRACTUAL LIMITS: CONTRACTUAL SITUATION - No clause on the qualification as a data controller or processor in the contract - Unclear clause on the qualification of the CSP as joint controller or processor Clause on the qualification of the CSP as a processor in the contract Clause in the contract leading to a significant imbalance towards the controller Adhesion contract with no possibility to freely negotiate on liability LEGAL PROBLEM Even if the qualification in data controller or processor depends on facts, the contract gives direct indications on the intention of the parties. Therefore, usually, in such a situation, facts will tend to demonstrate that the customer qualifies as data controller and that he is fully liable. There could be litigation about liability: the customer will try to establish joint and several liability whereas the CSP will retain no liability at all as it implicitly qualifies as a processor. In adhesion contracts, the CSP will tend to retain he is only a processor. The customer will tend to retain the exemption provided by Article 23-2 of Directive 95/46 or to establish a de facto qualification as joint controller (because of the absence of effective instructions monitoring system, of further processing, of absence of compliance with its reasonable and legitimate instructions) The customer might lodge a complaint, most of all in adhesion contracts. But according to Opinion 1/2010 released by the WP29, the imbalance in the contractual power should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law. The customer might claim that the contract is null and void. In adhesion contract, the CSP will tend to retain that he qualifies as processor and is, under no condition, liable. But, indeed, he might not be a mere 4

5 Freely negotiable contract Unsatisfactory implementation of the qualification of the CSP as( joint) controller or processor in the other clauses of the contract processor as it will actually give no real possibility to the customer to be in control of the processing (no instructions monitoring procedure). The CSP will mitigate its liability and tend to retain a qualification as a processor but the customer could use EU clauses templates. The qualification as processor or (joint) controller might be written in one clause of the contract but not lead to adequate adaptations in the other clauses, blurring the frontier between customer s and CSP s liability. I-3 PRE-CONTRACTUAL INFORMATION PRACTICE Adequate pre-contractual information practice allows the Customer: - to make a better informed choice of CSP, considering the obligation to select a processor providing sufficient guarantees ; - to better comply with legal obligations, namely with regard to ensuring as a data controller that the CSP applies appropriate technical and organizational measures - to more easily compare the different offers available in the market and to choose in a more informed manner the CSP that better responds to the customer s needs (access rights, data location, back-up policy, etc.); - a better picture of the eventual requirements to fulfill before the DPA prior to entering into the cloud agreement and of the need to request further consent from data subjects considering the particular features of the cloud services; - to better structure the internal processes that it will move to the cloud and to distribute/split such processes to the more suitable CSPs. I-4 EVIDENCE SHOWING THE IMPORTANCE OF THESE PROBLEMS Among all the current contracts and clauses provided by CSPs in IAAS, PAAS and SAAS services, whether they are free or not, some recurrent problems arise such as: - the lack of real possibility, for the customer, to give instructions to the CSP calling into question the qualification as data controller; - the continuous attempt of CSPs to be exonerated from their responsibility regarding to security despite Article 17-3 of the Directive explicit specifications originating litigations on liability; - the absence of explicit qualification of the CSP as processor whereas the customer meets genuine difficulty to contribute effectively to the terms of the contract (adhesion contracts of clauses templates for freely negotiable contracts) and therefore to give initial instructions; - the absence of any direct reference to privacy policy or of any annexing of those policies to the contract blurring the scope of liability or the predictable implementation of those policies (i.e. concerning transfers or access law enforcement for instance). 5

6 II- KEY PROVISIONS ON CONTROLLER S AND PROCESSOR S QUALIFICATION: Liability for non-compliance with data protection obligations is framed in key provisions/sections of (i) Directive 95/46 of 24 October 1995 (the Directive ), (ii) WP29 Opinion 5/2012 on Cloud Computing, adopted on 1 July 2012, (iii) the European Data Protection Supervisor (EDPS) Opinion adopted on 16 November 2012, (iv) WP29 Opinion 1/2010 on the concepts of controller and processor, adopted on 16 February 2010 and (v) the Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries (2010/87/EU) ("the Standard Contractual Clauses") that provides an example for contractual clauses on the liability of controller and processor towards the data subject. II-1- Current key provisions on controller s and processor s definitions: - A 'controller' shall mean the natural or legal person public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (Article 3-(d) of the Directive) - A 'processor' shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (Article 2-(e) of the Directive) - The processor must not process them [personal data] except on instructions from the controller, unless he is required to do so by law (Article 16 of the Directive) - the same entity may act at the same time as a controller for certain processing operations and as a processor for others, and the qualification as controller or processor has to be assessed with regard to specific sets of data or operations (WP29 Opinion 1/2010, p.24). - the fact that the contract and its detailed terms of business are prepared by the service provider rather than by the controller is not in itself a sufficient basis to conclude that the service provider should be considered as a controller, in so far as the controller has freely accepted the contractual terms, thus accepting full responsibility for them. In the same line, the imbalance in the contractual power of a small data controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law (Opinion 1/2010, p.26). - II- 2- Current key provisions on controller s data protection basic obligations: - It shall be for the controller to ensure that paragraph 1 [fair and lawful processing, legitimate purposes, etc.] is complied with (article 6 of the Directive). - the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and ensure a level of security appropriate to the risks (article 17-1 of the Directive). He shall also choose a processor providing sufficient guarantees and ensure compliance with those measures (article 17-2 of the Directive) 6

7 - Controllers should provide security measures to protect personal data and to be able to demonstrate accountability. In addition to the core security objectives of availability, confidentiality and integrity, attention must also be drawn to the complementary data protection goals of transparency (see above), isolation, intervenability, accountability and portability (WP29 opinion 05/2012 on Cloud Computing, p.14). - It should be recalled that the WP29 pointed out in its opinion 1/2010 on the concepts of controller and processor that the first and foremost role of the concept of controller is to determine who shall be responsible for compliance with data protection rules, and how data subjects can exercise the rights in practice. In other words: to allocate responsibility. These two general criteria responsible for compliance and allocation of responsibility should be borne in mind by the parties involved throughout the analysis in question (WP29 opinion 05/2012 on Cloud Computing,p.7) - The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that [ ] the processor shall act only on instructions from the controller (article 17-3 of the Directive) - Article 17(2) of Directive 95/46/EC puts full responsibility on cloud clients (acting as data controllers) to choose cloud providers that implement adequate technical and organizational (WP29 opinion 05/2012 on Cloud Computing, p.13). II-3- Current key provisions on processor s data protection basic obligations: - the obligation of the controller to implement technical and organizational measures to protect personal data shall also be incumbent on the processor (article 17-3 of the Directive) II-4- Current key provisions on controller s liability: - The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage (article 23-2 of the Directive see also Recital 55 of Directive); - The client as the controller must accept responsibility for abiding by data protection legislation and is subject to all the legal obligations mentioned in Directive 95/46/EC and 2002/58/EC, where applicable, in particular vis-à-vis data subjects (see 3.3.1) (WP29 opinion 05/2012 on Cloud Computing, p.20). - Appropriate contractual safeguards are addressed in the opinion with the requirement that any contract between the cloud client and cloud provider should afford sufficient guarantees in terms of technical and organizational measures (WP29 opinion 05/2012 on Cloud Computing, p.2) - For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form (article 17-4 of the Directive). - It should be emphasized that even in complex data processing environments, where different controllers play a role in processing personal data, compliance with data protection rules and responsibilities for possible breach of these rules must be clearly allocated, in order to avoid that the protection of personal data is reduced or that a "negative conflict of competence" and gaps arise whereby some obligations or rights 7

8 stemming from the Directive are not ensured by any of the parties (WP29 opinion 05/2012 on Cloud Computing, p.8). - "The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered." (Standard Contractual Clauses, Clause 6 (1)). II-5- Current key provisions on joint controllers liability: - Acting on behalf means serving someone else's interest and recalls the legal concept of delegation. [ ] A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor (Opinion 1/2010 on the concepts of "controller" and "processor" adopted on 16 February WP169, p.25). II-6- Current key provisions on processor s liability: - Should the processors use the data for any other purpose, or communicate them or use them in a way that breaches the contract, they shall also be considered to be controllers, and shall be held liable for the infringements in which they were personally involved (WP29 opinion 05/2012 on Cloud Computing, p.14) - when the provider re-processes some personal data for its own purposes. In such a case, the cloud provider has full (joint) responsibility for the processing and must fulfill all legal obligations that are stipulated by Directives 95/46/EC and 2002/58/EC (if applicable) (WP29 opinion 05/2012 on Cloud Computing, p.20) - Better balancing of responsibilities between controller and processor: The WP welcomes the provisions contained in Article 26 of the Commission s proposals (Draft EU General Data Protection Regulation) that are aimed at making processors more accountable towards controllers by assisting them in ensuring compliance in particular with security and related obligations. Article 30 of the proposal introduces a legal obligation for the processor to implement appropriate technical and organizational measures. The draft proposals clarify that a processor failing to comply with the controller s instructions qualifies as a controller and is subject to specific joint controllership rules. The Article 29 Working party considers that this proposal goes in the right direction to remedy the unbalance that is often a feature in the cloud computing environment, where the client (especially if it is a SME) may find it difficult to exercise the full control required by data protection legislation (WP29 opinion 05/2012 on Cloud Computing, p.23 referring to Article 26-4 and 27 of LIBE committee amendments). - The controller should be able to avail of contractual recourse possibilities in case of breaches of contracts caused by the subprocessors. This could be arranged by ensuring that the processor is directly liable toward the controller for any breaches caused by any sub-processors he has enlisted (WP29 opinion 05/2012 on Cloud Computing, p.10). - Where the subprocessor fails to fulfill its data protection obligations under such written agreement the processor shall remain fully liable to the controller for the performance 8

9 of the sub-processor s obligations under such agreement (WP29 opinion 05/2012 on Cloud Computing, p.9-10). - the acceptance by the controller established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage (Article 43-2-f) of the draft regulation on BCRs). - "If a data subject is not able to bring a claim for compensation [ ] against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities" (Standard Contractual Clauses, Clause 6 (2)). IN THE CLOUD SECTOR, WE COULD CONCLUDE FROM THOSE KEY PROVISIONS THAT 1/ THE CLOUD CUSTOMER: - is liable for data protection law compliance and the implementation of appropriate technical and additional safeguards; - has the duty to establish compliance with data protection law, in particular with regard to data security and oversight by DPAs; - is fully accountable for choosing cloud providers that implement adequate technical and organizational measures; - is in charge of determining in the contract who shall be responsible concerning specific sets of data or operations and respective responsibilities; - could be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage; 2/ THE CLOUD PROVIDER: - that only processes personal data on behalf of the controller qualifies as a processor; - either going beyond its mandate (and acquiring a relevant role in determining the purposes or the essential means of processing) or failing to comply with customers instructions qualifies as a joint-controller or controller (not a processor); - that uses the data for any other purpose (or communicates or uses such data in a way that breaches the contract) shall be considered a controller, be subject to all applicable legal obligations and be held liable for any infringement to such obligations; - is contractually accountable towards controllers by assisting them in ensuring compliance, in particular with regard to security and related obligations; - is directly liable towards the controller for any breaches caused by any sub-processors he has enlisted. 9

10 Moreover, prospective dispositions in the LIBE committee amendments adopted in October 2013 give further evidence that CSP s liability should be interpreted broadly: - Technical and organizational guarantees may be demonstrated by adherence to codes of conduct or certification mechanisms pursuant to Articles 38 or 39 of this Regulation (Article 26-3a). - Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller s behalf should be established, in particular with regard to documentation, data security, impact assessments, the data protection officer and oversight by data protection authorities. In particular, the controller should ensure and be able to demonstrate the compliance of each processing operation with this Regulation. This should be verified by independent internal or external auditors (Recital 60). - The arrangement between the joint controllers should reflect the joint controllers' effective roles and relationships. The processing of personal data under this Regulation should include the permission for a controller to transmit the data to a joint controller (Recital 62). - Where several controllers jointly determines the purposes and means of the processing of personal data, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects, and the essence of the arrangement shall be made available for the data subject. In case of unclarity of the responsibility, the controllers shall be jointly and severally liable (Article 24). - Where more than one controller or processor is involved in the processing, each of those controllers or processors shall be jointly and severally liable for the entire amount of the damage, unless they have an appropriate written agreement determining the responsibilities pursuant to Article 24 (Article 77-2). III- RIGHTS AND OBLIGATIONS OF THE PARTIES TO BE SPECIFIED IN THE CSP CONTRACT III-1 BEST PRACTICES ACHIEVING A BALANCE BETWEEN THE PARTIES TO THE CONTRACT Regarding a satisfactory implementation of the liability, the parties to the contract should: - provide one clear contractual clause on the qualification of the CSP as (joint-) controller or processor; - in case of a qualification of the CSP as processor, define and document the CSP initial mandate with regard to the processing of data and provide clear procedures on the way additional instructions to those set in the contract could be given by the customer and genuine controls operated; - determine the liability of the CSP when not complying with the customer s reasonable and legitimate instructions; - determine the liability of the CSP when further processing the data (i.e. big data) and split responsibilities according to the set of processing concerned; 10

11 - write down, on the basis of the qualification retained, specific responsibilities in all the relevant clauses in the contract regarding liability (i.e. liability for non compliance with Directive 95/46, for handling of security breaches, for subcontracting, for data subjects rights exercise, for data erasure and portability, for cooperation and notification to DPA(s), for audits, for data location and transfers legal framing, access law enforcement, security obligations incumbent on the CSP and on the customer such as continuity of service). III-2 WHY THOSE PRACTICES ARE A GOOD SOLUTION TO PROPERLY SOLVE THE PROBLEM? Although liability of the parties to a cloud contract is ultimately established by the Courts, a clear definition of the role and legal status of the CSP and Customer: - provides more effective safeguards to data subjects in the event of breach of data protection obligations; - allows a swifter and more effective allocation of responsibility between the Customer and the CSP and more legal certainty; - ensures better compliance with regulatory requirements by the Customer, namely with regard to the fulfillment of notification/prior checking obligations before the DPA and the requirements applicable to the data being processed (banking, insurance, health, traffic and location, etc.). III-3 EXAMPLES OF CONTRACTS TARGETING DATA PROTECTION AND A BALANCE BETWEEN THE PARTIES III-3-a X General Terms and Conditions for X Cloud Services (v8-2012) Article 13 Data Protection 13.1 Customer has and accepts the full responsibility for all personal data as controller in terms of Art. 2 (d) of the EU Data Protection Directive 95/46/EC. To the extent personal data is stored and/or processed under this Agreement, X will adhere to Customer s instructions as a processor in the terms of Art. 2 (e) of the EU Data Protection Directive 95/46/EC. Customer s instructions exceeding the scope of services offered by X will be at Customer s expense and subject to technical and organizational feasibility by X. X and Customer will implement all technical and organizational measures necessary to meet the requirements of applicable data protection laws to protect personal data against misuse To the extent that personal data of Customer are being processed, X shall obligate its personnel entrusted with the processing of Customer s data to data protection and data secrecy in accordance with applicable law X is authorized to engage subcontractors for the processing of personal data to the extent necessary for fulfilling its contractual obligations under this Agreement. X shall obligate its subcontractors to obey all relevant data protection rules. In case that such subcontractor is located outside the EU, X shall provide for a level of data protection deemed adequate under EU data protection regulations Customer ensures that no legal requirements of Customer prevent X from fulfilling its contractual obligations under this Agreement in compliance with applicable law. This includes, but is not limited to, ensuring that all concerned individuals have previously declared consent to a possible processing of personal data. 11

12 Main observation: X addresses data protection issues in an explicit and clear wording. It states that X adheres to customers instructions and therefore qualifies as a processor. Positive points: Compliance with EU data protection legal framework is at the core of the data protection section. Article 17-3 of the Directive is fully complied with as X will implement all technical and organizational measures necessary to meet the requirements of applicable data protection laws to protect personal data against misuse and will also obligate its subcontractors to obey all relevant data protection rules Negative points: X is not fully clear on the storage locations options (namely whether the service allows such operations to be confined to specific territories) + it does not mention anything on access law enforcement. III-3-b X CLOUD SERVICES AGREEMENT (SaaS, UK Version, ) 1. DATA PROTECTION 11.1 In performing the Services, X will comply with the X Services Privacy Policy, which is available at and incorporated herein by reference. The X Services Privacy Policy is subject to change at X s discretion; however, X policy changes will not result in a material reduction in the level of protection provided for Your Personal Data provided as part of Your Content during the Services Period of Your order X s Data Processing Agreement for X Cloud Services (the Data Processing Agreement ), which is available at and incorporated herein by reference, describes the parties respective roles for the processing and control of Personal Data that You provide to X as part of the Cloud Services. X will act as a data processor, and will act on Your instruction concerning the treatment of Your Personal Data residing in the Services Environment, as specified in this Agreement, the Data Processing Agreement and the applicable order. You agree to provide any notices and obtain any consents related to Your use of the Services and X s provision of the Services, including those related to the collection, use, processing, transfer and disclosure of Personal Data The Service Specifications applicable to Your order define the administrative, physical, technical and other safeguards applied to Your Content residing in the Services Environment, and describe other aspects of system management applicable to the Services. You are responsible for any security vulnerabilities, and the consequences of such vulnerabilities, arising from Your Content and Your Applications, including any viruses, Trojan horses, worms or other programming routines contained in Your Content or Your Applications that could limit or harm the functionality of a computer or that could damage, intercept or expropriate data You may not provide X access to health, payment card or similarly sensitive personal information that imposes specific data security obligations for the processing of such data unless specified in Your order. If available, You may purchase services from X (e.g., X Payment Card Industry Compliance Services, X HIPAA Security Services, X Federal Security Services, etc.) designed to address particular data protection requirements applicable to Your business or Your Content. Main observation: X explicitly qualifies as a Data processor and clearly indicates its duties in the cloud Services Agreement and in the Data Processing Agreement for Cloud Services (that 12

13 are incorporated herein in reference). The agreement is comprehensive and addresses essential concerns regarding liability for non-compliance. Positive points: X complies with Article 17-3 of Directive 95/46 + includes a clear definition of the instructions received from the client (which categories of personal data and of data subjects are included in the processing) + specifies the manner in which the client can provide additional instructions to those included in the Agreement + grants audit rights to customer, applies incident management procedures, security breach notification obligations, obligations for return and deletion of personal data upon end of services at customer s request in the Data processing agreement? Negative points: Although it applies Safe Harbor and Model Clauses to international transfers, it is not fully clear on the storage/processing options (namely whether the service allows such operations to be confined to specific territories) + it states the customers responsibility for any security vulnerabilities, and the consequences of such vulnerabilities (which should be excluded in case the customer demonstrates CSP s fault. III-4 CONTRACTUAL CLAUSE TEMPLATE ROUGH DRAFT First of all, we should notice that liability could be conceived in 2 ways, that is to say: - liablility towards data subjects, that is broadly addressed in section II; - liability inter-partes, that is to say the balance to determine between CSP and customer regarding joint or several liability settled in the contract. In principle, Customers of CSPs are liable for non-compliance with data protection current law and non-provision of adequate technical and organizational measures; CSPs are liable for breach of obligations arising from the cloud contract and also for sub-processors breaches. By way of exception, CSPs that do not follow customer s instructions OR that process data to serve a different purpose to that specifically identified by the customer qualify as (joint-) controllers; in such event, they will be subject to legal obligations on the processing of data and liable for the infringement of such obligations. Therefore, the clear scope of CSP s liability should be pointed out within the contract (according to the kind of operation concerned). The templates proposed hereafter are only a basis for discussion. Some particularly relevant questions are expressly outlined. III-4-a BY-DESIGN APPROACH: LIABILITY IN FREELY NEGOTIABLE CONTRACTS Among all possible issues to consider regarding liability, we draw your attention to the followings: - location of the data; - transfers (contractual clauses, BCR processors, adequate countries, safe harbor if only US data centers?); - subcontracting; - audits; - access law enforcement by administrative and judiciary authorities; - destruction or restitution of data (portability); - rights of the data subjects: 13

14 - reporting complaints; - security breaches; - security policy (security means and general conditions: integrity, accessibility, confidentiality, reversibility, traceability); - cooperation with the competent data protection authorities; - codes of conduct. Particularly in freely negotiable contracts, dedicated and explicit clauses may be added concerning some or all of those specific issues. Framing which issues should be taken into account in priority is to be debated here. Some templates could further be elaborated on, under the condition this draft document reaches a sufficient consensus and validates, on principle, the necessity or the whole interest of writing down those elements. After reading this first draft, European Commission proposed to distinguish obligations prescribed by the applicable law (including the allocation of liability towards the data subject for a breach of these obligations) and obligations for breaches that are not prescribed by applicable law. The latter could be clarified in the contract in order to guarantee legal certainty for the parties. III-4-b BY-DEFAULT APPROACH: LIABILITY IN ADHESION CONTRACT The following propositions should be considered as a basis to debate what should be a minimum or a by default clause targeting liability for non compliance with data protection obligations. It does not preclude the possibility to propose and promote detailed and specific clauses targeting the issues presented in III-4-a. CASE 1: THE CUSTOMER EFFECTIVELY CONTROLS THE WHOLE PROCESSING = THE CSP QUALIFIES AS PROCESSOR Under this contract, the customer qualifies as data controller of the set of processing carried out (by the cloud service provider) on his behalf. X (the CSP) qualifies as processor and will remain as such as long as it (i) complies with the customers reasonable and legitimate instructions, (ii) provides adequate monitoring procedures regarding compliance with such instructions, (iii) does not go beyond the mandate given by the customer (that is to say it will not acquire a relevant role in determining the purposes or the essential means of processing). In particular, X (the CSP) shall provide an accessible, easy-to-use and comprehensive security-monitoring-tool. The customer is fully liable for data protection law compliance. Therefore, the customer must comply with Directive 95/46 of 24 October 1995 and its implementing national provisions, and, in particular, [TO BE PARTICULARLY DISCUSSED: must keep documentation demonstrating that he has chosen an appropriate cloud service provider], regarding the nature of the data, the transfers, the scale of the processing and the technical and organizational safeguards in use. 14

15 The customer may be exempted from the above described liability, in whole or in part, only if he establishes that he is not responsible for the damage which a data subject may suffer as a result of the processing. X (the CSP) will be liable only if the customer establishes that X (the CSP) has breached this contract or that the breach results from a set of operations that the customer had neither validated via the signature of the contract nor given effective instructions on. Therefore, concerning security and related obligations, X (the CSP) is directly liable towards the customer for any breach caused by all the subprocessors he has enlisted. Concerning access due to law enforcement, the CSP is liable towards the customer and the competent DPA. As a processor, X (the CSP) commits to be diligent and accountable towards the customer by assisting the customer in ensuring compliance with its obligations. The customer s exemption of liability will only result from the demonstration that the CSP did not take appropriate actions. CASE 2: THE CUSTOMER DOES NOT EFFECTIVELY CONTROL ONE PART OR THE FULL PROCESSING = THE CSP QUALIFIES AS JOINT CONTROLLER Under this contract, the customer qualifies as data controller for the set of processing carried out (by the cloud service provider) on his behalf. Concerning the set of operations the customer is in no position to fully control, X (the CSP) qualifies as a joint controller. This qualification applies to the set of operations (i) X (the CSP) does not provide effective customer instructions monitoring system for, (ii) going beyond the mandate given by the customer (that is to say for those where X (the CSP) acquires a relevant role in determining the purposes or the essential means of processing) or (iii) X (the CSP) fails to comply with the customer s reasonable and legitimate instructions. In particular, X (the CSP) provides an accessible, easy-to-use and comprehensive mapping of the processing where he qualifies as processor [TO BE PARTICULARLY DISCUSSED: this set of operations could be specified in an Appendix I]. Concerning the processing that the customer has full control on, the customer is fully liable for data protection law compliance. Therefore, he has the duty to establish compliance with Directive 95/46 of 24 October 1995 and its local implementing laws, and, in particular, [TO BE PARTICULARLY DISCUSSED: keep documentation demonstrating he has chosen an appropriate cloud service], regarding the nature of the data, the transfers, the scale of the processing and the technical and organizational safeguards in use. Concerning the set of operations the customer is in no position to fully control, the customer and the CSP are jointly liable for data protection law compliance. Each is liable for the part of the operations he has effective control on. The customer could be exempted from his liability in whole if he establishes that he is not responsible for the damage which a data subject may suffer as a result of the processing. X (the CSP) will be fully liable only if the customer establishes that the breach results from a set of operations he has no control on (that is to say, neither validated via the signature of the contract nor effectively instructed by the customer). Therefore, concerning security and 15

16 related obligations, X (the CSP) is liable in whole towards the customer for any breach caused by all the sub-processors that X (the CSP) has enlisted. Concerning access law enforcement, the CSP is liable towards the customer and the competent DPA. As a joint-controller, X (the CSP) is under the obligation to comply with data protection law concerning the processing he controls jointly or in whole. 16

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 2588/15/EN WP 232 Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing Adopted on 22 September 2015 This Working Party was set up under Article 29 of Directive

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA: UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider

More information

Microsoft Online Services - Data Processing Agreement

Microsoft Online Services - Data Processing Agreement Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of

More information

Application of Data Protection Concepts to Cloud Computing

Application of Data Protection Concepts to Cloud Computing Application of Data Protection Concepts to Cloud Computing By Denitza Toptchiyska Abstract: The fast technological development and growing use of cloud computing services require implementation of effective

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent

More information

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012) ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into as of [Date] (hereinafter Effective

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with

More information

Standard conditions of purchase

Standard conditions of purchase Standard conditions of purchase 1 OFFER AND ACCEPTANCE 2 PROPERTY, RISK & DELIVERY 3 PRICES & RATES The Supplier shall provide all Goods and Services in accordance with the terms and conditions set out

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS This Business Associate Agreement (this Agreement ), is made as of the day of, 20 (the Effective Date ), by and between ( Business Associate ) and ( Covered Entity

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1 CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1 THIS AGREEMENT is entered into on ( Effective Date ) by and between LaSalle County Health Department, hereinafter called Covered Entity and, hereinafter

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations &

Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Please print the attached document, sign and return to privacy@covermymeds.com or contact Erica Van Treese, Account Manager, Provider Relations & Solutions. Office: 866-452-5017, Fax: 615-379-2541, evantreese@covermymeds.com

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) is entered into this day of 2014. Perry Memorial Hospital ( Covered Entity ) and [ABC Company] ( Business Associate ) referred

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

How To Ensure Health Information Is Protected

How To Ensure Health Information Is Protected pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES CONTENT 1. WHY A CLOUD COMPUTING GUIDE?... 2 2. WHAT IS CLOUD COMPUTING?... 4 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

Trinity Online Application - Terms and Conditions of Use

Trinity Online Application - Terms and Conditions of Use IMPORTANT NOTICE PLEASE READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY. IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT USE THIS APPLICATION. BY USING THIS APPLICATION AND/OR ANY OF

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement I. Definitions Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated

More information

AGREEMENT. Solicitor Without Per Diem Compensation

AGREEMENT. Solicitor Without Per Diem Compensation Solicitor Without Per Diem Compensation AGREEMENT Products underwritten by: American General Life Insurance Company Houston, Texas The United States Life Insurance Company in the City of New York New York,

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Revised: July 27, 2015 AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT Welcome to the AmWell Exchange Service (the Service ), which is owned and operated by American Well Corporation, a Delaware corporation

More information

STANDING CLOUD, INC. ( SC ) TERMS OF SERVICE

STANDING CLOUD, INC. ( SC ) TERMS OF SERVICE STANDING CLOUD, INC. ( SC ) TERMS OF SERVICE These Terms of Service ( Terms ) govern your use of Standing Cloud s online deployment platform for application software (the Services ). By using the Services,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is made effective as of the day of 2014 (the Effective Date ), by and between Sarasota County Public Hospital District,

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

HIPAA Business Associate Contract. Definitions

HIPAA Business Associate Contract. Definitions HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of ( Effective Date ) by and between Sentara Health Plans, Inc. ( Covered Entity ) and ( Business Associate

More information

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING This Supplemental Terms and Conditions of Trading is supplemental to and forms part of the terms and conditions set out in the

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT COLUMBIA AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into as of ( Effective Date ) by and between The Trustees of Columbia University in the City of

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information