Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Size: px
Start display at page:

Download "Information Security Risks when going cloud. How to deal with data security: an EU perspective."

Transcription

1 Separating fact from fiction about new software licensing /SaaS/ cloud computing models: advantages, disadvantages and ethical implications. Information Security Risks when going cloud. How to deal with data security: an EU perspective. Javier Fernández-Samaniego Partner Bird & Bird Page 1

2 Cloud computing raises a number of specific legal challenges in relation to the right of data protection and data security risks: cyber fraud or crime + loss of control over individual identity data issues of jurisdiction and responsibility data transfers / processing to third countries data breach management Page 2

3 Page 3 Data security: EU framework

4 Data security: relevant EU legislation Data Protection Directive 95/46/EC article 17 Amended e-privacy Directive 2002/58/EC article 4 Proposal for a EU General Data Protection Regulation articles Page 4

5 EU views on Cloud Computing Opinion 5/2012 on Cloud Computing of Art. 29 DP Working Party (July 2012) UK Information Commissioner's Office Guidance on the use of Cloud Computing (September 2012) Page 5

6 ISO New and improved ISO/IEC standards Page 6

7 Relevant EU Agencies EC3 - European Cybercrime Center at EUROPOL Focuses on following areas of cybercrimes: committed to organized groups to generate large criminal profit such as online fraud while causes serious harm to the victims such as online sexual exploitation which affects critical infrastructure and information systems in the EU ENISA - European Network and information Security Agency Hub for exchange information, best practices and knowledge of information security Page 7

8 The security of processing obligations under Directive 95/46/EC (I) The security obligation (art. 17): the controller must implement appropriate technical and organizational measures (TOMs) to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing of personal data. Organizations need to ensure an appropriate level of security taking into account: State of the art in security Cost of their implementation Level of security appropriate to: Nature of the data to be protected Nature of the risks Page 8

9 The Security of Processing obligations under Directive 95/46/EC (II) Using data processors art Processor must provide sufficient guarantees in respect of TOMs Processor must ensure compliance with those measures Need of Data Processing Agreements governing relationship between controller and processor Page 9

10 The Security of Processing obligations under Directive 95/46/EC (III) Implementation TOMs determined by controller Germany Netherlands Sweden Security guidelines issued by DPA UK Belgium TOMS imposed by law Spain Italy Page 10

11 TOMs International Transfer of Data Standard Contractual Clauses for transfer to third countries processors: Data exporter must provide sufficient guarantees in respect of TOMs of Appendix 2 SCCs Data importer: must implement TOMs of Appendix 2 SCC before processing promptly notify data exporter of security incidents submit data centres / processing facilities for audit Appendix 2: Description of TOM implemented by data importer Page 11

12 Security of processing under Proposal of EU Regulation Article 30 of the Proposal of EU Regulation: The controller and the processor shall implement appropriate TOMs Page 12

13 Information Security Incidents & Personal Data Breaches Page 13

14 Definitions and distinctions Personal Data Breach: Means a breach of Security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communication service in the Community (Amended e-privacy Directive) Information Security Incident: A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security Page 14

15 Definitions and distinctions A personal data breach can be the result of a security incident, but also a loss of user control. An information security incident does not necessarily entail a personal data breach and vis-versa. Page 15

16 Page 16 Global Breach Notification Laws

17 Page 17

18 Security breach notifications US: security breach notification laws in most States EU: Article 4 of amended e-privacy 2002/58/EC Directive: Requirement for the electronic communication sector Proposal of the EU General data Protection Regulation (Article 31 and 32) Towards a general obligation of reporting data breaches: to the supervisory authority to the individuals affected Page 18

19 Security breach notifications: EU Perspective To whom and in what circumstances and timeframes a notification required (trigger)? In the case of a personal data breach without delay (and where feasible, not later than 24 hours after having become aware of it*) TO: COMPETENT NATIONAL AUTHORITY The personal data breach is likely to adversely affect the personal data or privacy TO: INDIVIDUAL AFTER NOTIFICATION TO AUTHORITY (EXCEPTIONS) *Article 31 Proposal of DP Regulation Page 19

20 Security breach notifications: EU Perspective Who is obliged to notify? Amended e-privacy Directive: Providers of publicly available electronic communication services Proposal of DP Regulation Controllers shall notify Processors shall alert and inform the controller immediately after the establishment of a personal data breach. Page 20

21 Security breach notifications: EU Perspective Working Document 1/2011 on the current EU personal data breach framework and recomendations for future policy developments Page 21

22 Security breach notifications: EU Perspective April 2012 Recommendations on technical implementation guidelines of Article 4 e-privacy Directive See [presentation of Manuel García Sánchez, Spainsh DPA] Page 22

23 Security breach notifications: EU Perspective Conclusions: Importance of being proactive and prepared Need for a holistic personal data management procedure Two-phased assessments and twophased notifications Review and improve Page 23

24 Thank you Javier Fernández-Samaniego Partner Bird & Bird (Spain) LLP Jorge Juan, 8 1 Madrid Spain Page 24

Follow the trainer s instructions and explanations to complete the planned tasks.

Follow the trainer s instructions and explanations to complete the planned tasks. CERT Exercises Toolset 171 20. Exercise: CERT participation in incident handling related to Article 4 obligations 20.1 What will you learn? During this exercise you will learn about the rules, procedures

More information

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015 Multi-Jurisdictional Study: Cloud Computing Legal Requirements Julien Debussche Associate January 2015 Content 1. General Legal Framework 2. Data Protection Legal Framework 3. Security Requirements 4.

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate)

Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Security breach! A closer look from a data protection law perspective November 2014 Gabriel Voisin (Associate) Why is this a challenge? When personal data is compromised, mandatory or recommended notification

More information

20. Exercise: CERT participation in incident handling related to Article 4 obligations

20. Exercise: CERT participation in incident handling related to Article 4 obligations CERT Exercises Handbook 241 241 20. Exercise: CERT participation in incident handling related to Article 4 obligations Main Objective Targeted Audience Total Duration This exercise provides students with

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia Data Breach Notification Duty Dr. Elisabeth Thole 31 October 2015 UIA Valencia Van Doorne 2 How is your cyber crime awareness? Either you have been data breached or you just do not know that you have been

More information

COMMISSION REGULATION (EU) No /.. of XXX

COMMISSION REGULATION (EU) No /.. of XXX EUROPEAN COMMISSION Brussels, XXX [ ](2013) XXX draft COMMISSION REGULATION (EU) No /.. of XXX on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Privacy vs Data Protection PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Introduction The terms privacy and data protection are often used interchangeable In reality they

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

The impact of the personal data security breach notification law

The impact of the personal data security breach notification law ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Navigating the Privacy Law Landscape - US and Europe

Navigating the Privacy Law Landscape - US and Europe 21 January, 2015 Navigating the Privacy Law Landscape - US and Europe Roberta Anderson, Partner, K&L Gates, Pittsburgh Friederike Gräfin von Brühl, Senior Associate, K&L Gates, Berlin Etienne Drouard,

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

The era of hacks and cyber regulation

The era of hacks and cyber regulation 6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,

More information

How To Protect Your Data In European Law

How To Protect Your Data In European Law Corporate Data Protection Code of Conduct for the Protection of the Individual s Right to Privacy in the Handling of Personal Data within the Deutsche Telekom Group 2010 / 04 We make ICT strategies work

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

E-PRIVACY DIRECTIVE: Personal Data Breach Notification E-PRIVACY DIRECTIVE: Personal Data Breach Notification PUBLIC CONSULTATION BEUC Response Contact: Kostas Rossoglou digital@beuc.eu Ref.: X/2011/092-13/09/11 EC register for interest representatives: identification

More information

Microsoft Online Services - Data Processing Agreement

Microsoft Online Services - Data Processing Agreement Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of

More information

Dealing with data breaches in Europe and beyond

Dealing with data breaches in Europe and beyond Dealing with data breaches in Europe and beyond Karin Retzer and Joanna Łopatowska Morrison & Foerster LLP www.practicallaw.com/6-505-9638 The use of increasingly advanced technology means that the ways

More information

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison Security breaches: A regulatory overview Jonathan Bamford Head of Strategic Liaison Security breaches and the DPA Data controllers security obligation - principle 7 of the DPA o Appropriate technical and

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working

More information

ISO 27000 Information Security Management Systems Foundation

ISO 27000 Information Security Management Systems Foundation ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality

More information

Procedure for Managing a Privacy Breach

Procedure for Managing a Privacy Breach Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access

More information

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act On 1 January 2016, the Dutch Data Breach Notification Act will enter into force. The Dutch DPA issued Guidelines

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Cloud computing and the legal framework

Cloud computing and the legal framework Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal

More information

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule)

Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) Security incidents affecting personal data: an exploratory travel from technology to law (*under Chatham House Rule) DPO meeting 8 May 2015 Mario Guglielmetti Legal officer Unit Supervision and Enforcement

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Summary of Data Protection Requirements When transferring Data Outside the UK End Users Summary of Data Protection Requirements When transferring Data Outside the UK End Users 14 May 2010 Background to transfers of the Data outside the UK Data can be transferred in a couple of ways in relation

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015 CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION Presented by Sophie More O Ferrall 9 February 2015 DATA SECURITY LEGAL REQUIREMENTS SECTOR SPECIFIC ISSUES INTERNATIONAL TRANSFERS DATA SECURITY

More information

IAPP Practical Privacy Series. Data Breach Hypothetical

IAPP Practical Privacy Series. Data Breach Hypothetical IAPP Practical Privacy Series Data Breach Hypothetical Presented by: Jennifer L. Rathburn, Partner, Quarles & Brady LLP Frances Wiet, CPO and Assistant General Counsel, Takeda Pharmaceuticals U.S.A., Inc.

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Data Protection Policy.

Data Protection Policy. Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

PRIVACY BREACH POLICY

PRIVACY BREACH POLICY Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Issue #5 July 9, 2015

Issue #5 July 9, 2015 Issue #5 July 9, 2015 Breach Response Plans by Lyndsay A. Wasser, CIPP/C, Co-Chair Privacy Privacy breaches can occur despite an organization s best efforts to prevent them. When such incidents arise,

More information

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group Binding Corporate Rules Privacy (BCRP) Binding Corporate corporate Rules rules Privacy for (BCRP) the protection of personal Telekom Group rights in the handling of personal data within the Deutsche Telekom

More information

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4 PREFACE The following provides general guidance on data protection

More information

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013 EU Priorities in Cybersecurity Steve Purser Head of Core Operations Department June 2013 Agenda About ENISA The EU Cyber Security Strategy Protecting Critical Information Infrastructure National & EU Cyber

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Practical Overview on responsibilities of Data Protection Officers. Security measures

Practical Overview on responsibilities of Data Protection Officers. Security measures Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures

More information

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH MANAGEMENT POLICY PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security Cloud Security Standardisation & Certification Arjan de Jong Policy Advisor Information Security Overview Economics of standardization and certification (EU) Legal requirements for (cloud) security International

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Overview of Employment and Employee Privacy Laws and Key Trends in Austria P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment

More information

MORRISON I FOERSTER. Legal Updates & News. Data Breach Notification: Debate in the EU May 2008 by Ann Bevitt, Karin Retzer. Bulletins.

MORRISON I FOERSTER. Legal Updates & News. Data Breach Notification: Debate in the EU May 2008 by Ann Bevitt, Karin Retzer. Bulletins. MORRISON I FOERSTER Legal Updates & News Bulletins Data Breach Notification: Debate in the EU May 2008 by Ann Bevitt, Karin Retzer Data Breach Notification: Debate in the EU Related Practices: Privacy

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2 TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2 1.0 Purpose/Background The purpose of this policy is to establish the protocol to

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

Individuals affected by the breach How many individuals are affected by the breach? Who was affected by the breach: employees, public, contractors, clients, service providers, other organizations? Foreseeable

More information

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Cloud Computing and Privacy Laws! 17.7. 22.7. 2011 Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School DEUTSCH-FRANZÖSISCHE SOMMERUNIVERSITÄT! FÜR NACHWUCHSWISSENSCHAFTLER 2011! CLOUD COMPUTING : HERAUSFORDERUNGEN UND MÖGLICHKEITEN UNIVERSITÉ DʼÉTÉ FRANCO-ALLEMANDE POUR JEUNES CHERCHEURS 2011! CLOUD COMPUTING

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012 Presentation by: Dr. Nathalie Moreno Partner Cloud Computing and Data Protection: an Update 4 October 2012 Our team Speechly Bircham is an ambitious, international mid-size fullservice law firm head-quartered

More information

Global investigations: what employers need to know about investigating employees

Global investigations: what employers need to know about investigating employees Global investigations: what employers need to know about investigating employees Plan carefully to minimise riskbe su Given increasing globalisation, multinational companies are facing new levels of risk.

More information

INERTIA ETHICS MANUAL

INERTIA ETHICS MANUAL SEVENTH FRAMEWORK PROGRAMME Smart Energy Grids Project Title: Integrating Active, Flexible and Responsive Tertiary INERTIA Grant Agreement No: 318216 Collaborative Project INERTIA ETHICS MANUAL Responsible

More information

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012

Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Robert Bond Head of Data Protection & Information Law Group Data Protection and Information Security: The top 5 risks for 2013 1 November 2012 Our team Speechly Bircham is an ambitious, full-service law

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

Statutory Instruments 2007: No. 2199

Statutory Instruments 2007: No. 2199 Statutory Instruments 2007: No. 2199 Data Retention (EC Directive) Regulations SI 2007/2199 ELECTRONIC COMMUNICATIONS Made: 26th July 2007 Coming into force: 1st October 2007 The Secretary of State, being

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

Cloud Security Alliance EMEA Congress

Cloud Security Alliance EMEA Congress Cloud Security Alliance EMEA Congress Berlin, Germany Greenberg Traurig, LLP A1orneys at Law www.gtlaw.com 2015 Greenberg Traurig, LLP. All rights reserved November 17-19, 2015 Security Breach Disclosure

More information

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION

SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION SECURITY MEASURES IN THE PERSONAL DATA PROTECTION RULES: TECHNOLOGICAL SOLUTIONS AND LEGAL ADAPTATION Antonia Paniza-Fullana Civil Law University of Balearic Islands Abstract. Several practical issues

More information

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

WELCOME. Data Security Seminar November 7, 2012

WELCOME. Data Security Seminar November 7, 2012 WELCOME Data Security Seminar November 7, 2012 Data Security Seminar Technology, Legal and Risk Management Roundtable November 7, 2012 Chris Watson, MBA, CISA, CRISC Internal Audit and Risk Advisory Services

More information

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7 PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

Managing General Agents (MGAs) Guideline

Managing General Agents (MGAs) Guideline Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information

The supplier shall have appropriate policies and procedures in place to ensure compliance with

The supplier shall have appropriate policies and procedures in place to ensure compliance with Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations

More information

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.4 Information Security Incident Response

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.4 Information Security Incident Response Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Information Security Incident Response Part 1. Purpose. This guideline establishes the minimum requirements for Information

More information

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS Mr. Ryutaro Hatanaka Commissioner Financial Services Agency Government of Japan 3-2-1 Kasumigaseki Chiyoda-ku, Tokyo Japan 100-8967 Dr. Kunio Chiyoda Chairman Certified Public Accountants and Auditing

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions Meeting European Data Protection and Security Requirements with CipherCloud Solutions 2015 1 TABLE OF CONTENTS

More information

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird)

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird) Legal Aspects of Cloud Computing Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird) Agenda Cloud Computing Overview Role Play on Hot Topics SAAS versus on-premise software licensing

More information

New Relic EU Data Protection Whitepaper

New Relic EU Data Protection Whitepaper New Relic EU Data Protection Whitepaper November 2015 New Relic, Inc. 188 Spear Street San Francisco, CA 94105 1 Table of Contents I. Introduction II. Purpose III. Overview of Directive 95/46/EC IV. New

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information