Acquia Comments on EU Recommendations for Data Processing in the Cloud



Similar documents
Article 29 Working Party Issues Opinion on Cloud Computing

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Using AWS in the context of Australian Privacy Considerations October 2015

Data Processing Agreement for Oracle Cloud Services

Exhibit 2. Business Associate Addendum

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

White Paper: Data Protection In The Cloud. Data Protection In The Cloud

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

ARTICLE 29 DATA PROTECTION WORKING PARTY

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

AIRBUS GROUP BINDING CORPORATE RULES

How To Understand Data Privacy In Cloud Computing

Office 365 Data Processing Agreement with Model Clauses

Cloud Computing: Legal Risks and Best Practices

BUSINESS ASSOCIATE AGREEMENT

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Privacy and Cloud Computing for Australian Government Agencies

HIPAA BUSINESS ASSOCIATE AGREEMENT

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Cloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing

Shipman & Goodwin LLP All rights HARTFORD STAMFORD GREENWICH WASHINGTON, DC

Trust in the Cloud Legal and Regulatory Framework

Cloud Security Trust Cisco to Protect Your Data

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

The Manitoba Child Care Association PRIVACY POLICY

CLOUD COMPUTING Contractual and data protection aspects

BUSINESS ASSOCIATE ADDENDUM

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Sample Business Associate Agreement Provisions

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

BUSINESS ASSOCIATE ADDENDUM

technical factsheet 176

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Microsoft Online Services - Data Processing Agreement

Business Associate Agreement

Credit Union Code for the Protection of Personal Information

Privacy Policy documents for

HIPAA Privacy Rule Policies

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Data Protection in Ireland

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Data transfers in the Cloud

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

DASSAULT SYSTEMES GROUP HUMAN RESOURCES DATA PRIVACY POLICY

Data Protection Breach Management Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

COMPLIANCE WHITE PAPER

Recommendations for companies planning to use Cloud computing services

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

(a) the kind of data and the harm that could result if any of those things should occur;

Business Associate Agreement

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

ECSA EuroCloud Star Audit Data Privacy Audit Guide

HIPAA Privacy & Security White Paper

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

Application of Data Protection Concepts to Cloud Computing

HIPAA Business Associate Contract. Definitions

Cloud Computing Contracts. October 11, 2012

The HR Skinny: Effectively managing international employee data flows

SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS

Data Protection Policy.

Cloud Computing. Patrick Van Eecke. Partner, DLA Piper Brussels Professor Universiteit Antwerpen

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

COMPLIANCE WHITE PAPER

What s the Path? Information Life-cycle part of Vendor Management

Business Associate Agreement (BAA) Guidance

Receipt of the BAA constitutes acceptance thereof, provided that you do not provide a written objection within fourteen (14) days of receipt.

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

EUROPEAN NETWORK OF CLOUD ASSOCIATIONS

Information Technology: This Year s Hot Issue - Cloud Computing

Privacy Statement. What Personal Information We Collect. Australia

ARTICLE 29 DATA PROTECTION WORKING PARTY

New Relic EU Data Protection Whitepaper

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

HIPAA BUSINESS ASSOCIATE ADDENDUM

Considerations for Outsourcing Records Storage to the Cloud

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

Achieving PCI Compliance for Your Site in Acquia Cloud

Data protection legislation influence on cloud computing from local as well as EU perspective

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

3. Consent for the Collection, Use or Disclosure of Personal Information

Transcription:

Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing personal data in the cloud for client organizations. The opinion describes associated risks and provides recommendations for best practices. This brief white paper explains why Acquia Cloud is aligned with the guidance provided by the EU data protection regulators ensuring that the transfer of EU personal data to cloud service providers such as Acquia may take place lawfully under EU law. The opinion on cloud computing, entitled Opinion of Article 29 Working Party, was issued by Article 29 Data Protection Working Party, which is also known as WP 29. The opinion provides recommendations for both the cloud service provider and the cloud customer to ensure they are satisfying the general Data Protection Directive 95/46/EC, which regulates the processing of personal data within the EU. These recommendations outline best practices that should be observed when the service provider, as a part of its cloud-based service, processes personal data on behalf of a client organization. Acquia observes these best practices and adheres to the recommendations issued in this opinion. The opinion puts a special emphasis on the contractual arrangements between cloud service providers and cloud customers. The recommendations supplement existing best practices concerning an individual s right to data protection that are stipulated in Article 8 of the EU Charter of Fundamental Rights. The report identifies the potential risks of leveraging cloud services that are not in compliance with the Data Protection Directive. When a service provider is not in compliance, potential risks can include loss of control over personal data and the lack of transparency concerning what safeguards are in place during data processing. EU regulators recommend that organizations considering cloud services should conduct comprehensive vendor risk analysis and follow the recommendations provided by the opinion. SKU 0327-130110

2 Acquia Comments on EU Recommendations for Data Processing in the Cloud By choosing a service provider, such as Acquia, that adheres to these recommendations, EEA-based customers may leverage cloud services while remaining in compliance of EU privacy data regulations. Cloud Computing Data Protection Risks and How Acquia Mitigates These Risks The Working Party recommends that cloud customers conduct risk assessments of cloud service providers. Summarized below are the risks the Working Party identified with regards to cloud computing and summarizes how leveraging Acquia Cloud mitigates those risks: A lack of transparency and integrity: Cloud customers should be aware of the service provider s parameters for data processing and whether there are subcontractors who have access to customer data. In instances where data may be accessed by subcontractors, the same contractual and legal provisions should apply both to the service provider and the subcontractors. Acquia Cloud is a Platform as a Service (PaaS), built on Amazon AWS (Amazon Web Services) Infrastructure as a Service (IaaS). In this model, Acquia has sole responsibility to the customer for processing customer data. While Amazon, as the infrastructure provider, maintains the underlying data centers, Amazon personnel have no access to customer data. To provide further assurance to the customer, Amazon is contractually obligated to Acquia to abide by all privacy regulations and provide the same level of confidentiality as Acquia provides to its customers. A lack of availability due to vendor lock-in: Proprietary technology may prove difficult for a cloud client to shift data and documents from one cloud provider to another. Since Drupal is open source software, customers are not locked into Acquia as their vendor. Acquia s customers may export their data and code to another provider or their own on-premise data center at any time. A lack of confidentiality due to law enforcement: Law enforcement and national security officials have access to data stored within cloud service providers in advanced economies, including: the United States, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom. Acquia commits to notifying its customers if it is the subject of a data inquiry from any law enforcement agency unless such notification is prohibited.

3 Acquia Comments on EU Recommendations for Data Processing in the Cloud A lack of intervenability: The term intervenability refers to a person s right to access, change, or update their personal information that has been collected. Providing access to modify, correct, or delete personal data or information is an application layer function that is implemented at the application (Drupal) layer if the site collects personal information from its users. A lack of isolation: This term refers to the risk of data being utilized for unintended purposes. Acquia, as detailed in its Privacy Policy, commits to never communicating its customers data to any third party for any purpose beyond the functional requirements that are detailed in Acquia s Privacy Policy. A lack of transparency of the service provider due to chain processing or processing at different locations: This refers to the need for cloud service providers to be transparent about their use of subcontractors that may have access to the customer s data. In addition, only subcontractors with acceptable data privacy controls should be utilized. Acquia clearly states the parameters of its relationship with its partner, Amazon AWS, and provides the locations where the customer may choose to host its sites (such as the U.S., EU, etc.). Acquia is ultimately responsible to the customer in the event of a data breach by a subcontractor. Legal framework and applicable law: Applicable laws are derived from the country where the cloud customers are based, not where the service provider is located. Acquia is Safe Harbor certified and committed to abiding by EU privacy laws. Recommendations for Cloud Service Providers and Cloud Customers The Working Party provides the following recommendations to cloud customers and cloud service providers: Cloud customers should conduct comprehensive and thorough risk analysis of cloud service providers. Cloud customers should choose service providers based on their agreement to comply with relevant data protection laws. Cloud service providers should guarantee compliance with EU data protection legislation and adhere to the basic principles of EU data protection law. These principles include: maintain transparency; adhere to the principle of purpose of specification and limitation or privacy data; and process data only within the parameters of the service contract. Lastly, personal data should be erased as soon as its retention is no longer needed

4 Acquia Comments on EU Recommendations for Data Processing in the Cloud and appropriate technical and organizational security controls must be provided to protect personal data to ensure the data s confidentiality. Acquia Cloud is fully compliant with these recommendations. Contractual Safeguards The Working Party stresses the importance of contractual safeguards between the service provider and its customers. Contracts between the cloud customer and cloud service provider should establish data security requirements. Acquia complies with all customer data security requirements as part of the contract process. The Working Party recommends that the following points be addressed in a contract: Obligate the cloud service provider to implement organizational and technical data security to adequately protect personal data. Detail the extent, manner, and purpose of the processing of personal data by the cloud provider, if applicable. Specify the conditions for returning data or destroying personal data. Include a confidentiality clause binding the service provider so that only authorized personnel have access to personal data. Obligate the service provider to assist the customer in providing the ability for personal information to be corrected, updated, or deleted. Prohibit the cloud service provider from sending personal data to any third parties, unless specifically provided for in the agreement. Obligate the service provider to specify and name subcontractors and ensure that confidentiality extends to subcontractors. Require the service provider to notify the customer in case of a data security breach. Specify where data may be processed and stored. Ensure the cloud customer s rights to monitor, and specify the duty of service provider to ensure that security requirements are met. Obligate the service provider to inform the customer in case of major technical changes.

5 Acquia Comments on EU Recommendations for Data Processing in the Cloud Specify processing activities used during the logging of personal data. Require the cloud service provider to inform the cloud customer about any legally binding request for disclosure of personal data by law enforcement, unless otherwise prohibited. Require the service provider to represent that its internal organization and data processing processes are compliant with applicable national and international legal requirements. For guidance on contractual addendums that meet the above criteria see model clause 2010/87/EC: http://eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=oj:l: 2010:039:0005:0018:EN:PDF Conclusion Acquia advocates that EU organizations, which are considering a cloud investment, should weigh privacy and regulatory issues that can arise when storing and processing personal data in the cloud. The Working Party has detailed the pertinent risks when privacy data will be processed or stored by cloud service providers. Organizations should conduct risk assessments of cloud service providers and should be assured that the Working Party s recommended contract provisions are included in agreements with cloud vendors. Acquia supports the Working Party opinion of Article 29 and can provide documentation upon request to provide assurances that Acquia meets all risk assessment criteria. Copyright 2013, Acquia, Inc. Acquia, Inc. 25 Corporate Drive, 4th Floor Burlington, MA 01803 USA www.acquia.com sales@acquia.com +1.781.238.8600

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information