PRIVACY CHECKLIST FOR CLOUD SERVICE CONTRACTS



Similar documents
CLOUD COMPUTING Contractual and data protection aspects

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Article 29 Working Party Issues Opinion on Cloud Computing

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

The Cloud Security Alliance

Recommendations for companies planning to use Cloud computing services

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Data Protection Compliance for the Public and Private Sector in the EU

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

Cloud Service Contracts: An Issue of Trust

Information Management Compliance and Data protection.

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Data Processing Agreement for Oracle Cloud Services

Privacy Compliance and Security SLA: CSA addressing the challenges

How To Understand And Understand The European Priorities In Information Security

The problem of cloud data governance

ENISA and Cloud Security

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

E- COMMERCE IN EUROPE & PORTUGAL

ENISA and Cloud Security

Data protection issues on an EU outsourcing

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security

Cloud Computing Security Audit

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Supplier Integrity Guide

The Cadence Partnership Service Definition

Mitigating and managing cyber risk: ten issues to consider

TOOLS and BEST PRACTICES

The potential legal consequences of a personal data breach

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

How To Get A Degree From The Brussels School Of International Relations

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

Data Security and Extranet

How To Write An Article On The European Cyberspace Policy And Security Strategy

PRIVACY MANAGEMENT ACTIVITIES

Office 365 Data Processing Agreement with Model Clauses

Cloud Computing: Legal Risks and Best Practices

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

SINGLE RESOLUTION BOARD VACANCY NOTICE ICT PROJECT MANAGER AND BUSINESS ANALYST (SRB/AD/2015/017)

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Data and Cyber Laws Up-date 9 July 2015

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

SINGLE RESOLUTION BOARD VACANCY NOTICE DOCUMENT MANAGEMENT OFFICER (SRB/AST/2016/003) Corporate Services IT

Regulatory Issues - Review of the Cullen International Economic System

Policy Implications: Privacy, Security and Liability Big Data in Telecom. June TIA 2012: INSIDE THE NETWORK Dallas TX

Data Protection Breach Management Policy

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

European Payment Institutions Federation

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Essential terms and conditions for a secure use of Cloud services Checklist

Checklist: Cloud Computing Agreement

Privacy & Data Security: The Future of the US-EU Safe Harbor

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

FUNERAL SERVICES MBA (FuseMBA) 3rd edi8on, March Corporate Solu8ons for companies and ins8tu8ons

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

EMEA Account opening guide

August User Guide: Cloud Computing Contracts, SLAs and Terms & Conditions of Use. Key Points. What s in this Guide?

AGENDA Morning Session

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

SINGLE RESOLUTION BOARD VACANCY NOTICE ICT OPERATIONS MANAGER (SRB/AD/2015/016)

Cloud Software Services for Schools

National Cyber Security Strategies

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Transcription:

PRIVACY CHECKLIST FOR CLOUD SERVICE CONTRACTS CIRRUS WORSHOP 28 February 2013, The Interna<onal Auditorium, Brussels, Belgium Dr. Paolo Balboni, Partner at ICT Legal Consul7ng & Scien7fic Director of the European Privacy Associa7on paolo.balboni@ictlegalconsul7ng.com - www.ictlegalconsul7ng.com pbalboni@europeanprivacy.eu - www.europeanprivacyassocia7on.eu

Introduc7on 2012 and 2103(already) have been very interesting years from the cloud computing data protection & data security point of view! 2

Official documents published o Art.29WP Opinion 05/2012 on Cloud Computing o European Cloud Strategy o European Cybersecurity Strategy o CNIL's recommendations for companies using cloud computing services o Italian DPA Cloud Computing: il Vademecum del Garante o Irish DPC Data Protection in the Cloud o ICO Guidance on the use of cloud computing 3

So what?... o All the documents need to be read in close connection with the EU Commission Proposal for a General Data Protection Regulation o From the official documents and the actual and forthcoming applicable data protection legislation we can draw a checklist of information that, on the one side, the CSP has to disclose and, on the other side, the client must carefully analyse and assess 4

Privacy checklist (i) A CSP will have to share: 1. Information about its identity (and the representative in EU, if applicable), its data protection role, and the contact details of the Data Protection Officer or of a "privacy contact person 2. CSP will have to describe in which ways the data will be processed and provide information on data location and subcontractors 3. How data transfer may take place and on which legal ground (mainly model contracts, binding corporate rules SH principles have not been recognised as adequate) 5

Privacy checklist (ii) 4. Data security measure in place, with special reference to: - availability of data - integrity - confidentiality - transparency - isolation (purpose limitation) - intervenability 5. Way to monitoring CSP data security 6. Possibility to run audits for clients or trusted third-parties 6

Privacy checklist (iii) 7. Personal data breach notification policy 8. Data portability, migration, and transfer back assistance 9. Data retention, restitution and deletion policies 10. Accountability, meaning the policies and procedures CSP has in place to ensure and demonstrate compliance, throughout CSP value chain (e.g., sub-contractors) 7

Privacy checklist (iv) 11. Cooperation with clients to respect data protection law, e.g., to assure the exercise of data protection rights 12. Management of law enforcement request of access to personal data 13. Remedies available for the customer in case of CSP breach of contract. 8

Some final remarks o o o A couple of issues Conclusions Recommendations: - Transparency, accountability PLA! 9

Thanks for your anen7on! Q&A CIRRUS WORSHOP 28 February 2013, The Interna<onal Auditorium, Brussels, Belgium Dr. Paolo Balboni, Partner at ICT Legal Consul7ng & Scien7fic Director of the European Privacy Associa7on paolo.balboni@ictlegalconsul7ng.com - www.ictlegalconsul7ng.com pbalboni@europeanprivacy.eu - www.europeanprivacyassocia7on.eu 10

Paolo Balboni, Ph.D., is a top Aer European ICT, Privacy & Data ProtecAon lawyer and serves as Data ProtecAon Officer (DPO) for mulanaaonal companies. As a frequently invited speaker, Balboni has spoken at more than 50 interna7onal conferences around the world in the last 2 years on ICT, Privacy & Data Protec7on legal maners. He is a regular invited expert on the revision of the EU General Data Protec7on Regula7on to the European Parliament. Balboni is the author of the book Trustmarks in E- Commerce: The Value of Web Seals and the Liability of their Providers (Cambridge University Press) and of numerous papers on European ICT, Privacy & Data protec7on law. Balboni is the Scien7fic Director of European Privacy Associa7on, Cloud Compu7ng Sector Director and responsible for Foreign Affairs of Italian Ins7tute for Privacy. He is admined to the Bar in Milan and the Founding Partner at ICT Legal Consul7ng. Together with his team, he provides legal advice across Europe to mul7na7onal companies, especially concerning personal data protec7on, IT- contracts, cloud compu7ng, e- commerce, e- marke7ng, adver7sing, Web 2.0 service providers liability, Law Enforcement Agency (LEA) access to informa7on and databases, digital contract and document management, and intellectual property rights. He also advises celebri7es on privacy and copyright maners. He has considerable experience in the following areas: IT - including Cloud Compu7ng, Big Data & Analy7cs, Media & Entertainment, e- Health, Fashion, Banking, An7- Money Laundering (AML) and Counter- Terrorist Financing (CFT). He co- chairs the Privacy Level Agreement (PLA) Working Group of Cloud Security Alliance and was the legal counsel chosen for the projects of European Network and Informa7on Security Agency (ENISA) on Cloud Compu7ng Risk Assessment, Security and Resilience in Governmental Clouds, Procure Secure: A guide to monitoring of security service levels in cloud contracts and Common Assurance Maturity Model Beyond the Cloud (CAMM). Paolo Balboni is ac7vely involved in European Commission studies on new technologies and data protec7on. Balboni is Lecturer at the Master Digital Media Management at the European Ins7tute of Design and Research Associate at Tilburg University. He obtained his Law Degree with dis7nc7on from the University of Bologna in 2002, a Ph.D. from Tilburg University on Compara7ve ICT Law. He speaks fluent Italian, English and Dutch and has a good knowledge of French, German and Spanish. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information