GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

Transcription

1 GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

2 CONTENT 1. WHY A CLOUD COMPUTING GUIDE? WHAT IS CLOUD COMPUTING? WHAT ARE THE ROLES OF THE CLOUD SERVICES PROVIDER AND OF THE CLOUD SERVICES CLIENT? WHAT ARE THE RESPONSIBILITIES FROM THE PERSPECTIVE OF DATA PROTECTION? WHAT CATEGORIES OF DATA MAY FORM THE OBJECT OF CLOUD SERVICES? HOW DO I PROTECT DATA PROCESSED IN THE CONTEXT OF CLOUD SERVICES? WHICH FORMALITIES MUST BE FULFILLED FOR THE USE OF CLOUD SERVICES? What information must be provided to the persons whose data is processed? Is consent required for including data in Cloud? Is notification of the Supervisory Authority required? Is it necessary to obtain an authorization from the Supervisory Authority for the transfer of the data? HOW DO I CHOOSE A CLOUD SERVICES PROVIDER? What provisions are mandatory to be included in the Cloud Services agreement? What are the mandatory clauses to be included in the agreement in all cases? What clauses are mandatory in case the Cloud Services Provider uses subcontractors? What clauses are mandatory in the case of data transfer to states which do not ensure an adequate level of protection of the data? What provisions are recommended to be included in the contract? How do I ensure transparency regarding the processing of the data in Cloud? Should I limit the purpose for which personal data is processed? What rules regarding the deletion or return of the data would are reccomendable? How do I ensure that the rights of the data subjects are respected? How do I ensure that the Cloud Services Provider presents sufficient guarantees regarding the security of the data? ANNEX 1. DETAILS REGARDING THE INFORMATION OF DATA SUBJECTS WITH RESPECT TO THE PROCESSING OF THEIR DATA IN THE CLOUD CONTEXT ANNEX 2. DETAILS REGARDING THE NOTIFICATION OF THE DATA PROCESING IN THE CLOUD CONTEXT WHY A CLOUD COMPUTING GUIDE? (1) Considering that the rapid adoption and promotion of cloud computing is one of the priorities of the 2020 Digital Agenda 1, the National Supervisory Authority for Personal Data Processing (hereinafter the "Supervisory Authority") finds it useful to issue this 1 Unleashing the potential of cloud computing in Europe, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, SWD(2012) 271, available at 2

3 guide regarding the practices and procedures which it considers necessary or recommendable when an entity selects its cloud computing (hereinafter, the "Cloud Services") service provider, as well as regarding the obligations of the Cloud Services client, from the perspective of ensuring the lawfulness of the processing of personal data (hereinafter, the "Guide"). The Guide is meant to be a support tool in three directions: (a) (c) to help potential Cloud Services clients to choose those providers which ensure sufficient guarantees regarding the protection and security of the data; to offer indications to Cloud Services providers about the requirements which the Supervisory Authority considers that they should observe while providing the service; to familiarize the Cloud Services clients with the applicable formalities from the perspective of the personal data protection legislation for the compliant use of these services. (2) From a terminological perspective, the key concepts used in this Guide are: (a) the Cloud Services client represents the entity 2 which benefits from the services, surcharge, establishing the purpose and extent of the use of the service (hereinafter, the "Cloud Services Client"); and the Cloud Services provider represents the professional (company) which offers a Cloud Service (hereinafter, the "Cloud Services Provider"). (3) Since the cloud computing technology can bring a number of significant advantages to entrepreneurs, especially to small and medium-sized enterprises 3, it is expected for the adoption of Cloud Services to represent a legitimate interest of the entrepreneurs and to increase constantly over the future period. However, potential Cloud Services Clients must understand that the transition from an internal IT system to the use of Cloud Services involves, in the large majority of cases, the transfer of personal data processed by the client to the Cloud Services Provider. We emphasize in this context that the concepts of "personal data" and "processing" thereof have a very wide meaning 4, therefore any situation where data held by the client, which allow the identification of a person, may be stored, accessed, modified, transferred or processed in another way by the Cloud Services Provider, may represent a transfer of personal data from the Cloud Services Client to the Cloud Services Provider. (4) From the perspective of personal data protection, the legal framework applicable to the Cloud Services consists in the following main regulations in the field: 2 This guide does not refer to the situation where the Cloud Services are intended for consumers (respectively individuals), although the recommendations are largely applicable also in such case. 3 Idem note 1. 4 Please refer to Opinion 4/2007 on the concept of personal data (WP 136), available at 3

4 (a) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, implemented in Romanian law by Law No. 677/2001 for the protection of individuals with regard to the processing of personal data and the free movement of such data; Directive 95/46/EC, respectively Law No. 677/2001, apply both if the data controller (the Cloud Services Client) is established in the European Union as well as if the controller is established outside the European Union but uses equipment located in the Union, respectively Romania, for the processing of personal data (for example, data centers, servers, etc.); (c) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the public communications sector, implemented in Romanian law by Law No. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector; Decision of the Supervisory Authority No. 132/2011 concerning the conditions for the processing of the personal numeric code and of other personal data having an identification function of general applicability 5. (5) Without having a normative character, the interpretative opinions issued by the Art. 29 Working Party 6, especially Opinion 05/2012 on Cloud Computing 7, are an important tool for the interpretation and application of the above-mentioned regulations. (6) Depending on the field of activity of the Cloud Services Client other legislation or regulations in specific areas may also be applicable. 2. WHAT IS CLOUD COMPUTING? (7) In its Communication on Unleashing the potential of cloud computing in Europe (2012), the European Commission defined the concept of cloud computing as "the storing, processing and use of data on remotely located computers accessed over the internet 8, definition that captures the three defining elements: (a) providing processing capacity (storage, modification, compilation, etc.); on client demand, which means that the service is scalable according to client needs; 5 Can be accesed at 6 Available at Art. 29 Working Party is an independent body, made up of representatives of the data protection supervisory authorities from the European Union countries, representatives of the designated authority for personal data protection matters for the institutions of the European Union and a European Commission representative. Art. 29 Working Party was established on the basis of Directive 95/46/ EC and, among others, may issue recommendations on any aspect concerning the protection of individuals from the perspective of the processing of their data. 7 Opinion 05/2012 on Cloud Computing of Art. 29 Working Party is available at 8 Idem note 1. 4

5 (c) through remote infrastructure, which involves either the use of an Internet connection (most often), or the use of a private network. (8) Depending on the operating mode, cloud environments may be classified as follows 9 : (a) (c) Private cloud type of cloud hosted for or by a single entity in a private network, most often exploited internally, within which only parties from the respective entity may share resources; Hybrid cloud type of cloud which represents a combination of public cloud and private cloud, for example applications hosted in the public cloud, but with local storage of information; Public cloud type of cloud which is available to the general public or to a multitude of entities to contract, being owned and operated by a third party cloud provider. This type of cloud is considered in this Guide when referring to "cloud computing". (9) Depending on the type of service, there are three major categories of Cloud Services: 10 : (a) (c) Infrastructure as a Service (IaaS) consists in the use of primary computing resources (servers, storage or network infrastructure for developing, running and storing applications and data in cloud environments) through a remote connection. Art. 29 Working Party 11 mentions as practical applications of this service category, for example, offering for rental technological infrastructure which provides the option of replacing information technology systems at the headquarters of the beneficiary and/ or of using leased infrastructure alongside the beneficiary's own systems. Platform as a Service (PaaS) consists in the design, development, testing, implementation and hosting of applications on web platforms. Art. 29 Working Party considers that this type of service targets, as a rule, the beneficiaries which intend to use them in order to develop and host solutions based on proprietary applications, in order to meet requirements set internally and/ or to provide services to third parties 12. Software as a Service (SaaS) consists in using a web browser as a platform from which applications and web-based services are running, being the best known and most accessible form of Cloud Services for the regular user. 9 Please refer in this regard also to Opinion 05/2012 on Cloud Computing of Art. 29 Working Party, idem supra note 7 10 Please refer in this regard also to Opinion 05/2012 on Cloud Computing of Art. 29 Working Party, idem supra note Idem supra note 7, pag Idem supra note 7, pag. 30 5

6 Although generally the Cloud Services Client has a limited margin for the negotiation of the contractual terms and cannot intervene regarding the technical and administrative measures related to the functioning of the service and which are determined by the Cloud Services Provider, this is not liable to change the qualification of the Cloud Services Client as controller because this one continues to hold the power of decision to use or to cease using the Cloud Service, as well as regarding the purpose and the extent of such use. At most, the concrete circumstances and the extent of the decision-making powers granted to the Cloud Services Provider may lead to the conclusion that this latter is a joint controller. In practice, this service may take the form, for example 13, of various web-based applications, such as computerized registries and agendas, shared calendars, applications, text processing tools. (10) Sometimes the above types are combined (layered) so that, for example, the Cloud Services Client may use an application (SaaS) developed by provider A on a platform (PaaS) owned by provider B which uses Infrastructure (IaaS) from provider C 3. WHAT ARE THE ROLES OF THE CLOUD SERVICES PROVIDER AND OF THE CLOUD SERVICES CLIENT? (11) Personal data protection law applies when a personal data processing operation occurs. Considering the very broad scope of both terms 14, the vast majority of operations that may occur in the cloud (including mere storage) regarding personal data falls under the definition of processing, thus drawing the application specific regulations. (12) In the context of Cloud Services, in most cases the Cloud Services Client is the personal data controller (respectively, the natural or legal person, private law or public law, including public authorities, institutions and territorial structures thereof, which establishes the purpose and the means of the personal data processing). This conclusion results from the fact that the service is at the discretion of the Cloud Services Client, the latter setting the purpose of the use, the timing and the extent of the service. (13) In the usual situation in which the Cloud Services Provider is processing personal data on behalf of and exclusively in the interest of the Cloud Services Client, the Cloud Services Provider will be qualified as data processor. But if the Cloud Services Provider holds 13 Idem supra note 7, pag Personal data is any information relating to an identified or identifiable natural person; an identifiable person is the person who may be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Personal data processing represents any operation or set of operations which is performed upon personal data, by automatic or non-automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure to third parties by transmission, dissemination or otherwise, alignment or combination, blocking, erasure or destruction Please refer to Art. 3 of Law No. 677/2001 and Opinion 4/2007 (WP 136) on the concept of personal data available at 6

7 attributions in establishing the purpose of the processing (for example, if it has the right to process personal data in its own interest, such as for marketing), the Cloud Services Provider becomes in its turn a controller, subject to the requirements specific to this category. (14) It is also possible the situation in which the Cloud Services Provider has no position (controller or processor) from the perspective of the personal data protection regulations, namely in the case where no personal data is involved in the performance of the service between the Cloud Services Provider and Cloud Services Client. This may occur when the data processed is not related to persons (an example in this sense would be rendering farms, whereby technical information is processed). Also, a particular case in which Cloud Services Provider has no position in terms of data protection regulations although the data were originally personal data, is where the data was unidirectional encrypted before transfer to the cloud provider, a situation detailed in paragraph (19) below. 4. WHAT ARE THE RESPONSIBILITIES FROM THE PERSPECTIVE OF DATA PROTECTION? (15) Law No. 677/2001 establishes on the controller the responsibility for compliance with all the requirements set out in this law, including the general principles governing any processing and specific information requirements, ensuring a legal basis for the processing, the protection of the data, etc. (16) For this reason (but not only) it is important for the Cloud Services Client to ensure, before contracting a Cloud Service, that it may use this service in compliance with all the obligations incumbent upon it under Law No. 677/2001 and the applicable secondary legislation. (17) In usual circumstances, where the Cloud Services Client is controller and the Cloud Services Provider is data processor, the allocation of responsibilities arising from the applicable law between the Cloud Services Client and the Cloud Services Provider may be summarized as follows: Selecting data categories The confidentiality and security obligation Informing the data subject Establishing the legal basis of the processing Notification with the Supervisory Authority (if the case) Authorization of the data transfer Ensuring the exercise of the data subjects' rights Cloud Services Client Cloud Services Client + Cloud Services Provider (only based on express contractual obligations) Cloud Services Client Cloud Services Client Cloud Services Client Cloud Services Client Cloud Services Client + Cloud Services Provider (only based on express contractual obligations) 7

8 5. WHAT CATEGORIES OF DATA MAY FORM THE OBJECT OF CLOUD SERVICES? (18) In accordance with personal data protection law, personal data may be "simple" data or special data, this last category including those related to racial or ethnic origin, political, religious, philosophical or similar opinions, trade union membership, personal data concerning health or sex life, as well as personal data having an identification function of general applicability (personal numeric code, series and number of identity card / passport, driving license number, etc). (19) When personal data is unidirectional encrypted before the transfer to cloud provider (aspect especially possible for the cases of IaaS and PaaS, and to a lesser extent for SaaS), the personal data protection obligations are applicable only in what regards the Cloud Services Client (the controller), not being applicable in what regards the client-provider relationship. Therefore, although the Cloud Services Client (the controller) which holds the encryption key has always the possibility to reverse the process (which means that the data does not become anonymous), the Cloud Services Provider cannot reconstruct the original information, so that from its perspective the data is not personal data. (20) Another important aspect is the way in which this data will be processed in the cloud, being recommendable that the right of the Cloud Services Provider to process in its own interest personal data should as limited as possible (and in any case well determined contractually), and in the case of special data to be prohibited. (21) Of course, the more sensitive the data processed, the more the Cloud Services Client should ensure that the level of security offered by the Cloud Services Provider is higher (including by reference to the applicable security requirements). (22) Considering that data processing is subject to specific rules, stricter in case of special data, it is important for the potential Cloud Services Client to perform an assessment, in order to determine if it is necessary to transfer (all) this personal data towards the Cloud Services Provider. It is, also, necessary to examine potential safety measures which can be taken in order to keep the data in appropriate security conditions. (23) When the processing of a certain special category of personal data is made by the Cloud Services Client on the basis of a legal obligation or in the cases provided at art. 7 paragraph (2), art. 8 paragraph (1) or art. 9 paragraph (1) of Law No. 677/2001, then the contracting of a Cloud Service will be allowed and will not be subject to special conditions if the following special conditions are met cumulatively: [Note for the consideration of ANSPDCP: to be discussed depending on the Authority's availability to modify Decision No. 132/2011 concerning the conditions for the processing of the personal numeric code and of other personal data having an identification function of general applicability] 8

9 (a) (c) (d) (e) (f) (g) (h) the identification of the categories of data and of the legal provisions which require the processing thereof, as well as the reasons for which this data is processed in cloud are thoroughly documented by the Cloud Services Client; contractual provisions prohibit the processing of the personal data by the Cloud Services Provider in its own interest; the data centers whereby the data is processed are located within the European Economic Area (hereinafter, "EEA"); the Cloud Services Provider performs a security assessment/audit through either internal resources or external auditor, and offers annually to the client, upon client s request and free of charge, the conclusions of the security assessment report; the Cloud Services Provider guarantees contractually that all subcontractors used meet the same level of security and confidentiality; the Cloud Services Provider guarantees the complete erasure of all copies of the personal data processed on behalf of the Cloud Services Client, in a welldetermined period (established contractually) from the request of the Cloud Services Client or upon the contract ending for any reason; the Cloud Services Client, as data controller, ensures the observance of the data subjects' rights, especially the right to full and accurate information; the Cloud Services Client notifies the personal data processing to the Supervisory Authority. (24) The categories of data are which is not directly obtained from the data subject may include both data generated by the Cloud Services Client (e.g., user name and initial preset password) and data generated during the use of the Cloud Services (e.g., traffic data regarding the access of the users to resources available through Cloud Services), so it is necessary to clarify all these types of data with the Cloud Services Provider. 6. HOW DO I PROTECT DATA PROCESSED IN THE CONTEXT OF CLOUD SERVICES? (25) The data controller operator is obliged, according to Art. 20 of Law No. 677/2001, to ensure data security, irrespective of whether it is processed directly by the controller or through data processors. (26) In accordance with Art. 20 paragraph (1) and paragraph (5) letter b). of Law No. 677/2001, the data controller is required to ensure contractually that any data processor applies appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, unauthorized alteration, disclosure or access as well as against any other unlawful forms of processing. In the context of Cloud Services, 9

10 the Cloud Services Client is responsible for the way in which the Cloud Services Provider fulfills in practice these obligations. (27) The Cloud Services Client remains directly responsible for the implementation of the data protection measures pertaining to its own operations (e.g., training own employees regarding the rules on personal data protection, establish rules regarding the access to terminals whereby personal data is processed, imposing on own employees the obligation of confidentiality regarding the personal data to which they have access, etc.). (28) In analyzing data security measures applicable by the Cloud Services Provider 15, the Cloud Services Client should consider also the minimum data security measures regulated by secondary personal data protection legislation, currently Ombudsman Order No. 52/ (if the Cloud Services Provider is established in Romania) and the measures regulated by another Member State of the European Union where the Cloud Services Provider would be established. (29) Mainly, considering the particularities of data processing in the context of providing Cloud Services (especially the possible external location of data in relation to the Cloud Services Client) and the specific risks arising in this respect, in accordance with the point of view of Art. 29 Working Party, it is advisable for the Cloud Services Clients to ensure that there exist reasonable data security and safety measures regarding: (a) data availability in case of exceptional events with adverse effects likely to cause interruptions of data access (e.g., accidental loss of network connectivity of the Cloud Services Provider's equipments, decrease in the performance of the server used by the Cloud Services Provider as a result of attacks, power failures, etc.) - taking reasonable measures through providing the Cloud Services Client with timely access and in safe conditions, by alternative means; protecting data integrity against accidental or malicious alterations - implementation by the Cloud Services Provider of detection and / or intrusion prevention systems; (c) ensuring data confidentiality - e.g., ensuring data encryption during communications / transit and, if possible, during storage, imposing confidentiality obligations on the employees of the Cloud Services Provider and, where appropriate, of the subcontractors used by the latter; 15 Should an electronic communications services operator provide such services to the public through a cloud solution, the operator must also observe the legal requirements regarding the personal data procesing and privacy protection in electronic communications sector regulated by Directiva 2002/58/CE implemented thorugh Law 506/ Ombudsman Order No. 52/2002 for the approval of the Minimal security requirements for personal data processing. 10

11 (d) ensuring the possibility of identifying the operations made over time on data and documenting the taking of appropriate measures for ensuring data security - e.g., implementation of systems for recording operations performed on data, existence of procedures for various aspects such as recording the operations performed on data, access to data, etc. 7. WHICH FORMALITIES MUST BE FULFILLED FOR THE USE OF CLOUD SERVICES? (30) Next, we are presenting the main obligations of the Cloud Services Client of informing the data subjects about the processing of their data, ensuring a legitimate basis for data processing, notifying the data processing and, where appropriate, obtaining a data transfer authorization from the Supervisory Authority, in consideration of the provisions of Law No. 677/2001. (31) Other obligations provided by Law No. 677/2001, to the extent relevant in the context of using Cloud Services, are addressed in other sections of the Guide WHAT INFORMATION MUST BE PROVIDED TO THE PERSONS WHOSE DATA IS PROCESSED? (32) As data controller, the Cloud Services Client has the obligation to ensure the information of the data subjects in relation to the way their data is processed, in accordance with the minimum requirements provided by Art. 12 of Law No. 677/2001. (33) To ensure full information of data subjects, it is recommended for the Cloud Services Client to consult the Cloud Services Provider for obtaining relevant information related to the Cloud Services Provider's activity (the countries where the data is stored, the possibility of transfer to other states, the use or not of subcontractors, categories of personal data generated in the activity of Cloud Services Provider). The information must not concern only the processing of data in the context of using the Cloud Services, because the use of Cloud Services is not an end in itself. The information should be made considering the separate processing purposes determined by the Cloud Services Client (e.g., human resources, economic- financial and administrative management, sales, marketing, etc.) for which Cloud Services may be used. (34) Details concerning the minimum content requirements and a model information note may be found in Annex 1 of this Guide IS CONSENT REQUIRED FOR INCLUDING DATA IN CLOUD? (35) In accordance with Art. 7 of Directive 46/95/ EC, implemented through Art. 5 of Law No. 677/2001, the processing of simple personal data (other than special data) is conditioned by the existence of one of the legitimacy grounds, namely: (a) existence of unambiguous consent from the data subject; 11

12 (c) (d) (e) (f) (g) (h) the processing is necessary in order to perform a contract or pre-contract to which the data subject is party or in order to take certain measures, at the request thereof, before the conclusion of a contract or pre-contract; the processing is necessary to protect the life, physical integrity or health of the data subject or of another person threatened; the processing is necessary for the fulfillment of a legal obligation of the data controller; the processing is necessary in order to comply with measures of public interest or which concern the exercise of public authority prerogatives vested in the controller or in the third party to whom the data is disclosed; the processing is necessary in order to fulfill a legitimate interest of the controller or of the third party to whom the data is disclosed, provided that such interest is not damaging the interests or fundamental rights and freedoms of the data subject; the processing regards data obtained from publicly available documents, according to the law; the processing is performed exclusively for statistical, historical or scientific research, and the data remains anonymous throughout the processing. Among the grounds of legitimacy provided by law there is no hierarchy, any of them having the same value and any being equally valid and usable 17. (36) It is not strictly necessary for controllers to rely on the consent of the data subject if the processing is based on a different legal ground. In this context, of particular interest for Cloud Services is the situation of fulfilling a legitimate interest of the controller or of the third party to whom the data is disclosed, because the cloud's use is a recognized interest at the level of the European Union, including through the 2020 Digital Agenda. The issue of the legitimate interest of the controller according to Art. 7 (f) of Directive 95/46/EC has been the subject of Opinion No. 6/2014 of Art. 29 Working Party, 18 in accordance with which the sections below present some issues of interest and particularities for Cloud Services. We emphasize, in this context, that the considerations from this section concern strictly the hypothesis of grounding the use of the Cloud 17 There is no hierarchy among the legitimacy grounds provided by law, and it is not necessary that one or other of the grounds to be applied only as an exception. Please refer in this sense to Opinion 15/2011 (WP187) on the definition of consent of Art. 29 Working Party, p. 6, available at 18 Opinion 06/2014 (WP217) regarding the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC of Art. 29 Working Party, available at 29/documentation/opinion-recommendation/files/2014/wp217_en.pdf 12

13 Services on the legitimate interest and not the analysis of the legality of using this ground for the processing of the respective data ab initio by the controller. (37) Interest, as a general concept, refers to the stake or benefit that the controller may have in relation to the processing of personal data. The concept of interest has a wider sphere than that of the right (subjective) of the controller, not being regulated by law 19. Interest must be pursued by controller, meaning that it should be real and present, should correspond to current activities or benefits expected in the near future, which excludes from the scope of applicability of the ground analyzed the interests which are too vague or speculative. The nature of the interest may be extremely varied, having on an extreme interests serving society in general and on the other extreme interests serving exclusively the controller concerned. Nevertheless, not all interests are legitimate, but only those which: (a) (c) comply with the law, in the most general sense; are sufficiently described (specific); and represent a real and current purpose. (38) From this point of view, it appears that using a Cloud Service is not only an interest in general of a potential Cloud Services Client (lower cost, higher mobility, etc.), but it is even a legitimate interest since the using of a Cloud Service is not prohibited by law and is a specific interest, real and present. (39) However, not any legitimate interest may justify the processing of personal data on this ground, but this legitimate interest must be balanced against the fundamental interests and rights of the data subjects. It should be mentioned that, while the interests of the controller must be legitimate, the restriction of legitimacy is not regulated also in respect of data subjects, with regard to which all interests must be considered. (40) The extremes of the balancing test are relatively easy to identify, meaning that minor legitimate interests of the controller will prevail over the interests of the data subjects only if the impact over these interests is smaller, and the important legitimate interests may, depending on the protection measures adopted, justify even significant intrusions into the privacy of data subjects. Clearly, the hypothesis of using Cloud Services by the controller is situated between the two extremes, so that personal data processing grounded on the legitimate interest requires the performance by the potential Cloud Services Client of the mentioned balancing test. (41) The two main factors in the balancing test are the importance of the legitimate interest of the controller and the impact on the data subject. In terms of importance, considering the intention declared at European Union level to support and promote the adoption of Cloud Services, it may be presumed that the controller's interest is both legitimate and 19 For example, an employer has the interest of ensuring the good internal management of the business; the holder of a site the interest to obtain information about its visitors in order to improve the quality of their web browsing, etc. 13

14 important. To this general appreciation there may be added particular factors, which are related to the materialization of the benefits brought by the Cloud Services to the potential client. (42) With regard to the impact on the data subjects, a general solution is impossible to determine, as each separate Cloud Service and each separate option of the data controller may be translated into differences (sometimes significant) in what regards the impact on data subjects. Thus, while a Cloud Service in the context of which it is guaranteed by contract the fact that that the Cloud Services Provider does not have the right to reuse data and that any access to the data will be made either upon the request of the Cloud Services Client or as a result of a legal obligation but with appropriate information of the Client Cloud Services can be considered to bring only minor harm to the rights of the data subject, the same cannot be said about a service that does not ensure these safeguards. (43) As it can be seen, an important role in the analysis is that of the measures taken in order to reduce the impact on the rights and interests of the data subjects. The more safeguards implemented, the lower the impact will be classified. (44) Then, an important role in the analysis is played also by the category of the personal data concerned, namely whether they are or not sensitive data. In general, the more sensitive the data, the more likely it is for the interest of the data subject to prevail over the legitimate interest of the controller, unless the controller takes adequate safeguard measures. Measures that may reduce the impact on the data subjects include (without limitation) encryption, pseudonymisation, functional separation, "privacy by design", using technical solutions for ensuring data integrity and protection against unauthorized access (firewall, anti-spam, anti-virus etc.), the right of unconditional termination of the contract, data portability. (45) The purpose of regulating the legitimate interest ground is not to prohibit any negative impact on the data subjects, but only to limit the disproportionate impact on data subjects. As a result, the balancing test should be performed by every Cloud Services Client in part, in order to ensure that a clear determination is made regarding the data subjects, the category of personal data processed, the importance of its actual interest in using the Cloud Service, the potential impact on the data subject, if that impact is proportionate to the importance of the Cloud Services Client's interest, what safeguards are implemented or can be added so that to reduce a potential disproportionate impact. (46) To the extent that the result of the balancing test is that the impact on the data subject is not unjustifiably high considering the concrete legitimate interest of the Cloud Services Client, then the Cloud Services Client may use the legitimate interest ground for the processing of personal data, without requesting the express consent of the data subjects. 14

15 (47) The processing of special data, depending on the category to which they belong, is subject to the specific conditions provided by Art of Law No. 677/2001. Establishing the grounds of the processing (both for simple personal data and for special ones) does not eliminate the applicability of the other processing principles such as proportionality, accuracy or quality of the processed data, and does not relieve the controller of the fulfillment of all other obligations (informing the data subject, ensuring data security, etc) IS NOTIFICATION OF THE SUPERVISORY AUTHORITY REQUIRED? (48) As a rule, the Cloud Services Client, as personal data controller, has the obligation to notify the data processing in the context of the Cloud Services, except for the cases where one of the exemptions from the notification obligation applies. (49) The exemptions from the obligation to notify the processing of personal data are provided in Art. 22 of Law No. 677/2001, in Decision No. 90/2006 of the President of the Supervisory Authority, in Decision No. 100/2007 of the President of the Supervisory Authority and in Decision No. 23/2012 of the President of the Supervisory Authority 20. The processing of personal data in the context of the Cloud Services does not represent a purpose for the processing of personal data in and of itself and will be notified only along with the purpose for which the data is processed by means of the Cloud Services. If the data controller (the Cloud Services Client) has already registered in the Registry of Personal Data Processing Operations held by the Supervisory Authority a notification which covers the purposes for which the Cloud Services are being used, the filing of a separate notification will not be necessary. It will, however, be necessary to verify whether the current notification also covers the relevant details of the data processing in the context of the Cloud Services. (50) Annex 2 describes practical aspects regarding the way in which the processing performed by the Cloud Services Client in the context of contracting of the Cloud Services must be reflected in a current notification or in a new one IS IT NECESSARY TO OBTAIN AN AUTHORIZATION FROM THE SUPERVISORY AUTHORITY FOR THE TRANSFER OF THE DATA? (51) Insofar as the use of the Cloud Services involves a transfer of personal data from the Cloud Services Client to the Cloud Services Provider, the legal requirements and restrictions in the field of data transfer will apply. From this perspective, relevant are both the state whose nationality is borne by the Cloud Services Provider and the localization of the data center(s) where the latter stores the data. More specifically, pursuant to Art. 20 The decisions can be accessed at the address 15

16 29 of Law No. 677/2001, the transfer to another state of personal data that is the object of processing or is intended to be processed after the transfer may take place only while ensuring that the provisions of Romanian law are not breached and if the state to which the transfer is intended ensures an adequate level of protection. (52) As a rule, any personal data transfer to another state requires the preliminary notification of the Supervisory Authority but if the state to which the transfer is made is not recognized to ensure an adequate level of protection, the said transfer requires additionally also authorization from the Supervisory Authority. For exceptions from the authorization requirement, please refer to paragraph (59) below. (53) European Union member states are considered to offer an adequate level of protection due to the common regulatory framework, therefore authorization will not be required in the case of personal data transfer to these states. The same considerations apply also in the case of transfer to the other EEA member states: Iceland, Liechtenstein and Norway. (54) The European Commission recognized by decision an adequate level of protection for Andorra, Argentina, Australia, Canada (companies), Switzerland, Faeroe Islands, Guernsey, Israel, The Isle of Man, Jersey, New Zealand, Uruguay and for the Safe Harbor principles adopted by the United States Department of Trade 21. Consequently, if the Cloud Services Provider uses data centers in these states or, in the case of the United States of America, holds Safe Harbor certification, the said transfer will be exempted from the authorization requirement. In the case of transfer to a Cloud Services Provider which adhered to the Safe Harbor principles, the Cloud Services Client must ensure that the Safe Harbor certification covers both the purpose of the transfer and all categories of data processed on behalf of the Cloud Services Client. In the contrary case, the transfer must be authorized by the Supervisory Authority for the aspects not covered by the Safe Harbor certification. (55) When the authorization requirement applies, the Supervisory Authority will assess the level of protection offered, taking into account the entire circumstances in which the data transfer takes place, especially given the nature of the data transmitted, the purpose of the processing and the timeframe proposed for processing, the state of origin and final destination, as well as the legislation of the state of final destination. (56) The Supervisory Authority may authorize the transfer of personal data to a state whose legislation does not provide a level of protection at least equal to that ensured by the Romanian legislation when the Cloud Services Client offers sufficient safeguards with respect to the protection of individuals' fundamental rights, through the contract concluded with the Cloud Services Provider. If this contract is 21 See 16

17 concluded in accordance with the standard clauses provided in Decision 2010/87/EU 22, the protection level provided by the Cloud Services Provider is considered adequate, without an authorization from the Supervisory authority being necessary. [Note for ANSPDCP's consideration: To be discussed depending on the availability of the Supervisory Authority to modify Decision No. 28/2007 for the implementation of Art. 29 of Law No. 677/2001.] (57) The Supervisory Authority may, also, authorize the data transfer based on the binding corporate rules (Binding Corporate Rules - BCR) approved by a coordinating authority within the EU, after the analysis of the adequacy of the safeguards offered for the protection of the fundamental rights of the individuals. (58) When necessary as specified above, the authorization will be issued by the Supervisory Authority pursuant to the notification filed by the Cloud Services Client and the authorization will be issued upon completion of the notification formalities. (59) As an exception from the aforementioned authorization requirement, Law No. 677/2001 provides in Art. 30 several situations in which the transfer is always allowed, regardless of the level of protection offered, so that obtaining an authorization is no longer applicable: (a) (c) (d) (e) when the data subject expressly consented to the transfer; when it is necessary for the performance of a contract concluded between the data subject and the controller or for the implementation of certain pre-contractual measures taken pursuant to the request of the data subject; when it is necessary for the conclusion or performance of a contract that has been or will be concluded, in the interest of the data subject, between the controller and a third party; when it is necessary in order to serve a major public interest, such as national defense, public order or national safety, for the proper carrying out of the criminal trial or for the establishment, exercise or defense of a legal right in court, on the condition that the data is processed in relation to this purpose and not longer than necessary; when it is necessary to protect the life, physical integrity or health of the data subject; 22 Decision 2010/87/EU regulates the standard clauses for the transfer of personal data from controller to processor. If the Cloud Services Provider is itself a controller, the standard clauses that may apply between the parties are provided in Decision 2001/497/EC (set I), available at and Decision 2004/915//EC (set II), available at protection/document/international-transfers/files/clauses_for_personal_data_transfer_set_ii_c doc. 17

18 (f) when it occurs as a result of a prior request for access to official documents which are public or of a request for information which can be obtained from registries or from any other documents accessible to the public. (60) Of all the exemption situations regulated, the one that presents most interest from a practical perspective in the case of Cloud Services is the one in which the data subject explicitly consented to the transfer. In such case, it will no longer be necessary to obtain an authorization from for the Supervisory Authority for the transfer but the Cloud Client, as controller, should take into account the fact that using this exception may trigger practical difficulties, both with respect to obtaining informed consent (based on the preliminary provision of the minimum information required by Art. 12 of Law No. 677/2001) from each data subject separately, and with respect to the fact that the data subject could subsequently withdraw the consent. 8. HOW DO I CHOOSE A CLOUD SERVICES PROVIDER? (61) Considering that the fulfillment of the legal requirements in the field of personal data protection rests mainly with the Cloud Services Client, as emphasized by Art. 29 Working Party it is in its interest to choose a Cloud Services Provider that offers sufficient guarantees with respect to compliance with such requirements. The Cloud Services Client is liable for the way in which the Cloud Services Provider, as a processor for the controller, will process the personal data on behalf of the controller. (62) For this reason, the Cloud Services Client must pay particular attention when selecting the Cloud Services Provider. (63) The Cloud Services could make more difficult an actual direct control by the Cloud Services Client over the data which undergo processing and over the media and processes used for processing the data. For this reason, the Cloud Services Client must ensure that the Cloud Services Provider makes available all the information necessary to the Cloud Services Client to fulfill the notification formality applicable with respect to the processing of the personal data when using the Cloud Services. (64) Hereinafter below we are presenting: (a) the legal obligations of the Cloud Services Client which require the inclusion of mandatory provisions in the agreement for the supply of Cloud Services section 8.1; and the main legal obligations of the Cloud Services Client for the compliance with which it needs the active cooperation of the Cloud Services Provider and in relation to which it is advisable to include obligations upon the Cloud Services Provider section 8.2. (65) For the data protection formalities applicable to the Cloud Services Client and which also require the cooperation of the Cloud Services Provider by providing information, please refer to paragraph (83) below. 18

19 8.1. WHAT PROVISIONS ARE MANDATORY TO BE INCLUDED IN THE CLOUD SERVICES AGREEMENT? What are the mandatory clauses to be included in the agreement in all cases? (66) Considering the capacity of the Cloud Services Provider as a processor of the Cloud Services Client, it is mandatory to conclude a written agreement 23 imposing upon the Cloud Services Provider the following minimum legal obligations as per Art. 20 paragraph (5) of Law No. 677/2001: (a) the obligation to act only based on the instructions of the Cloud Services Client 24 ; and the obligation to implement the adequate technical and organizational measures for protecting the personal data against accidental or unlawful destruction, loss, unauthorized modification, disclosure or access as well as against any other form of unlawful processing. (67) It is sufficient that the agreement for the provision of the Cloud Services contains the two aforementioned obligations, irrespective of the form in which they are transposed (i.e., the undertaking by the Cloud Services Provider of the obligation to process the data only in the conditions agreed upon by the Cloud Services Client in the agreement; contractual section containing the data security standards undertaken by the Cloud Services Provider, etc.). (68) From a practical perspective, the instructions of the Cloud Services Client mentioned in Art. 20 paragraph (5) of Law No. 677/2001 may take the form of the rules regulated in the agreement for the provision of the Cloud Services (mainly in relation to the identification of the services to be provided, of the technical conditions, the contractual term, etc.) What clauses are mandatory in case the Cloud Services Provider uses subcontractors? (69) In accordance with to the interpretation of Art. 29 Working Party and the mechanism regulated at the level of the European Union by Decision of the European Commission 2010/87/EU 25, if the Cloud Services Provider uses subcontractors, the Cloud Services 23 In practice, many Cloud Services Providers, in particular those with international presence, publish the terms and conditions applicable to the Cloud Services on publicly available pages and include by reference the respective terms and conditions in the services agreement. For this reason, the reference herein to a written agreement must be understood lato sensu, as a reference to the agreed terms, irrespective of the form in which the contractual document is agreed upon (hard copy or online). 24 Optionally, for contractual safety, the parties may specify the way in which the Cloud Services Client can send instructions to the Cloud Services Provider. 25 Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council [notified under number C(2010) 593] 19

20 Client can meet its obligations provided in Art. 20 paragraph (5) of Law No. 677/2001 in two alternative ways: (a) either the Cloud Services Client concludes data processing agreements with such subcontractors, which would include the two legal provisions specified in paragraph (66), or without concluding a distinct agreement if the following cumulative conditions are met: (i) (ii) the Cloud Services Provider uses subcontractors only with the prior written consent of the Cloud Services Client. Considering the model regulated by Decision of the European Commission 2010/87/UE and the interpretation of Art. 29 Working Party, the prior written consent is considered obtained either by obtaining the written consent of the Cloud Client before using each subcontractor envisaged to be used by the Cloud Services Provider, or by meeting the following cumulative conditions: i.1) through the agreement concluded for the provision of the Cloud Services, the Cloud Services Client agreed to the use of subcontractors by the Cloud Services Provider; and i.2) the Cloud Services Clients are given the possibility to opt for being notified of the intention of the Cloud Services Provider to use a new subcontractor; and i.3) the Cloud Services Provider notifies in relation to the new subcontractor the Cloud Services Clients which opted to be consulted in this respect; and i.4) the Cloud Services Client did not express, supported by arguments, its opposition to the use of the respective subcontractor and/or did not terminate the agreement for this reason, within the term agreed upon contractually by the parties. The Cloud Services Provider concludes with the subcontractor a written contract whereby the latter undertakes the obligations provided by Art. 20 paragraph (5) of Law No. 677/ What clauses are mandatory in the case of data transfer to states which do not ensure an adequate level of protection of the data? (70) It is possible, in the context of the Cloud Services, to have personal data transferred to states not recognized by the European Commission as ensuring an adequate level of data protection. The transfer may be permitted either on the basis of an authorization of the Supervisory Authority or on the basis of a contract that includes the Standard Contract Clauses (Processors) adopted by the European Commission through Decision of the 20