Cloud computing and the legal framework



Similar documents
technical factsheet 176

Recommendations for companies planning to use Cloud computing services

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Data Transfer Policy London Borough of Barnet

Data Processing Agreement for Oracle Cloud Services

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Appendix 11 - Swiss Data Protection Act

The potential legal consequences of a personal data breach

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Data Protection in Ireland

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Article 29 Working Party Issues Opinion on Cloud Computing

AlixPartners, LLP. General Data Protection Statement

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Office 365 Data Processing Agreement with Model Clauses

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

INTERNET AND SECURITY

Supplier IT Security Guide

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Data Protection Consent Clause and Policy Background

GSK Public policy positions

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

On Data Protection and the Detailed and Uniform Data Management Regulation

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Clause 1. Definitions and Interpretation

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Privacy and Cloud Computing for Australian Government Agencies

The eighth data protection principle and international data transfers

Corporate Policy. Data Protection for Data of Customers & Partners.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

Type of Personal Data We Collect and How We Use It

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

singapore american school

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Data controllers and data processors: what the difference is and what the governance implications are

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

Council Policy. Records & Information Management

Microsoft Online Services - Data Processing Agreement

Consolidated Insurance Mediation Act 1

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Norwegian Data Inspectorate

Data protection compliance checklist

Newcastle University Information Security Procedures Version 3

Danske Bank Group Certificate Policy

Information Governance Policy

Business Merchant Capture Agreement. A. General Terms and Conditions

HIPAA Compliance and the Protection of Patient Health Information

2) applied methods and means of authorisation and procedures connected with their management and use;

Data Protection Policy.

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Privacy and Electronic Communications Regulations

Cloud Computing: Legal Risks and Best Practices

on the transfer of personal data from the European Union

DATA PROTECTION POLICY

Records Management Policy.doc

Practical Overview on responsibilities of Data Protection Officers. Security measures

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Data Protection Policy Information for Clients

Follow the trainer s instructions and explanations to complete the planned tasks.

DATA AND PAYMENT SECURITY PART 1

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Southern Law Center Law Center Policy #IT0004. Title: Policy

Information Governance Framework. June 2015

Last updated: 30 May Credit Suisse Privacy Policy

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

Merthyr Tydfil County Borough Council. Data Protection Policy

ROYAL AUSTRALASIAN COLLEGE OF SURGEONS

CROATIAN PARLIAMENT 1364

The HR Skinny: Effectively managing international employee data flows

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Information Circular

Terms and conditions of business for a NemID administrator of commercial NemID

FINAL May Guideline on Security Systems for Safeguarding Customer Information

BRING YOUR OWN DEVICE

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Data Protection and Cloud Computing: an Overview of the Legal Issues

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Electronic business conditions of use

Zinc Recruitment Pty Ltd Privacy Policy

HIPAA Compliance Guide

Cloud Service Contracts: An Issue of Trust

Transcription:

Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing

Content 1. Introduction 3 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security 3 2.1 No processing of personal data 4 2.2 Processing of personal data 5 2.2.1 Authority to process personal data 5 2.3 The data controller s leave of personal data to a data processor (cloud supplier) 5 2.3.1 The security requirements of the Act on Processing of Personal Data. 6 2.3.2 Data processor agreement 8 2.3.3 Cloud supplier outside the EU, including special rules for transfer to locations outside the EU 8 2.3.4 Duty of notification 10 2.4 Certain critical information 11 3. Other relevant legislation 11 3.1 The Bookkeeping Act (Bogføringsloven) 12 3.2 The Audit Act (Regnskabsloven) 12 3.3 The Archive Act (Arkivloven) 13

Page 3 of 13 1. Introduction Cloud computing is expected to become more and more widespread in the future. The Agency for Digitisation has, therefore, in cooperation with Kammeradvokaten, the legal adviser to the Danish Government, prepared this guidance for the purpose of reviewing matters, which both the customer (e.g. a public authority) and the supplier of the cloud solution should consider and be aware of when forming a contract regarding cloud computing. In most cases, much data in a cloud solution will consist of personal data. Therefore the focus of this guidance is on legal matters relating to personal data. For explanatory notes, see chapter 2 below. In relation to chapter 2 below, please note the importance of the customer s awareness of what data is trusted to the supplier in relation to the cloud solution. The Danish Act on Processing of Personal Data limits what data is freely trusted to a supplier in a cloud solution. Furthermore, the Danish Act on Processing of Personal Data and the accompanying Executive Order on Security contain rules governing procurement of preceding consent by the Danish Data Protection Agency for the solution in question. Therefore, the customer must prior to forming a contract, carefully consider what data is to be managed by the cloud supplier in order to comply with the Danish Act on Processing of Personal Data and the accompanying Executive order on Security. Notes by the Danish Data Protection Agency in relation to legal matters regarding personal data are incorporated in the guidance. In chapter 3 is a brief introduction to other relevant legislation, which in certain cases may be important to cloud computing. It is recommended to read the guidance in full. The guidance addresses both public authorities and private companies. 2. The Danish Act on Processing of Personal Data and the accompanying Executive Order on Security The Danish Act on Processing of Personal Data Act (act nr 429 of 31. May 2000 on processing of personal data as amended) regulates processing of personal data. The term personal data comprises any data regarding an identified or identifiable natural person, cf. s 3, (1). Comprised by the term personal data is data transferable to a natural person even if it should require knowledge of personal identification

number, registration number or similar specific identifications such as e.g. serial number regardless of whether the data is on record or instantaneously obtainable. The definition also comprises circumstances under which personal data is transferable only to someone in the know. As an example, an email address or an IP address may be personal data and thereby comprised by the Danish Act on Processing of Personal Data, because it would be possible to relate the IP address to a certain computer and its owner. An email, therefore, does not have to contain the name or email address of the receiver to be considered personal data. Page 4 of 13 The Danish Act on Processing of Personal Data only applies apart from few exceptions to data about natural persons and not data about legal persons. The Danish Act on Processing of Personal Data comprises processing of data by both public authorities as well as by the private sector. The same legislation therefore applies to both the public and private sector. Pursuant to the Danish Act on Processing of Personal Data several Executive Orders have been issued among other things regarding the requirements for data security. Further rules are set for the public administration in the Executive Order on Security. 1 The executive order applies to any processing of personal data done within the public administration entirely or partly by means of electronic data processing. The executive order defines the technical and organisational precautionary measures, which as a minimum need to be taken in the public administration in consideration of processing security (data security). The review in chapter 2 is not exhaustive and the customer must in any case assess compliance with the Danish Act on Processing of Personal Data if necessary by seeking legal assistance from the Danish Data Protection Agency. 2.1 No processing of personal data If a customer wishes to form a contract regarding a cloud solution in which no personal data is processed, the Danish Act on Processing of Personal Data does not limit exchange or transfer of data to a cloud supplier. In such case there is no need for including in the contract special terms and conditions in compliance with the Danish Act on Processing of Personal Data. This could e.g. be a cloud solution for operation of a statistical application not containing personal data. In such an event there are no limitations for the customer in regards to forming a contract with the cloud supplier regardless of its location. 1 Consolidated act nr 528 of 15 th June 2000 as changed by act nr 201 of 22 nd March 2001

2.2 Processing of personal data When processing personal data, compliance with the Danish Act on Processing of Personal Data is required. In this context processing means any operation or number of operations with or without use of electronic data processing, the data is subjected to, cf. s. 3 (2). Page 5 of 13 The processing term comprises any processing of data, e.g. collecting, registration, systemising, storage, alteration, search, transmission, entrusting, releasing, juxtaposition, multiprogramming, blocking, deletion or destruction. 2.2.1 Authority to process personal data Regardless of what solution is chosen for managing personal data, it is important to be aware of the relating provisions. Both the Danish Act on Processing of Personal Data and special rules by other legislation limit what kind of data may be included as well as the usage of that data, e.g. disclosure of data. Personal data can be divided into: Regular, non-sensitive data (section 6) Sensitive personal data (section 7 e.g. data about race, political background, religion etc.) Other types of sensitive personal data (section 8 e.g. data about criminal record, social issues etc.) Whether there is legal basis for processing personal data is determined by e.g. the purpose and the character of the data, respectively section 6, 7 or 8-data. Any processing of personal data must comply with the basic requirements of section 5 on proper data managing ethics and requirements that the purpose of processing the data must be specified and factual. It is also required that the data managed must be relevant and adequate. Processing must be carried out so that the data is updated properly. Furthermore, the data may not be stored in a way that makes it possible to identify the data subjects for a longer period of time than necessary to the purpose of the data processing, cfr. section 5, sub-sections 3-5. 2.3 The data controller s leave of personal data to a data processor (cloud supplier) Section 3, nr 4 and 5 of the Act on Processing of Personal Data defines the terms data controller and data processor. A cloud supplier will in most cases be a data processor.

The data controller decides for what purpose and by which aids personal data may be processed, while the data processor processes personal data on behalf of the data controller. The data controller is effectively responsible for processing personal data and controls the data. Page 6 of 13 A data processor may perform the practical processing of personal data on behalf of the data controller. It is up to the data controller to decide whether the data processor is to process the data on behalf of the data controller. It is the data controller s responsibility that processing complies with the legislation this also applies for data processed by the data processor. 2.3.1 The security requirements of the Act on Processing of Personal Data. A number of factors require attention regardless of whether data is left with a cloud supplier in Denmark, another EU country or a third country. It is the data controlling authority s responsibility that the Act on Processing of Personal Data and the Executive Order on Security are complied with by the data processor. The rules of the Executive Order on Security apply to processing of personal data in the public administration. Security requirements in the private sector For the private sector, there is also legal basis to issue an executive order on security requirements, but such legal basis has not been exercised. However, the Danish Data Protection Agency has in concrete cases set further rules on security precautions by making use of rules, which state that the Agency may set terms when issuing licenses. The Danish Data Protection Agency has furthermore on different occasions recommended that private companies to the widest possible extent prepare security measures corresponding to the Executive Order on Security. Additionally, the Danish Data Protection Agency has set a number of requirements and recommendations to the private sector in relation to transfer of personal data via the internet. These may be read at the Danish Data Protection Agency s website: http://www.datatilsynet.dk/erhverv/internettet/ The data controller must produce a total risk assessment of whether a given solution supplies a sufficient security level. The risk assessment may be done based on a standard for data security such as ISO/IEC 27001 or DS 484, which is the common governmental standard for data security. Both contain examples of what elements that may comprise a risk assessment. In terms of a cloud solution

inspiration for the risk assessment may be found in ENISA 2 s publication Cloud computing Benefits, risks and recommendations for data security. (See the check list on page 71-82 in the report): http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment. Page 7 of 13 In any case the data controller must ensure that the data processing by the data processor complies with the Danish security requirements described in the Act on Processing of Personal Data sections 41-42 and the Executive Order on security. These requirements will be described in the following. The aim of the security requirements is first and foremost that both public and private data controller and data processor must implement the necessary technical and organisational security measures against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of section 41, 3 of the Act on Processing of Personal Data This is in terms of processing personal data for public authorities further described in the national security executive order (publication nr 528 of 15 th June 2000 as changed by publication nr 201 of 22 nd March 2001) and security guidelines (the Danish Data Protection Agency s guidelines nr 37 of 2 nd April 2001). According to the Executive Order on Security the Danish Data Protection Agency is entitled to make recommendations to the data controlling authority in regards to security measures made. The Executive Order on Security and the security guidelines, to which references are made in the following, describe and elaborate on the technical and organisational security measures, which because of the data security must be taken in the public administration in accordance with the general rules for security measures in sections 41-42. These requirements, from the Executive Order on Security, must as a minimum be observed. In addition, the security measures taken must reflect that the processing of personal data in a cloud solution is done via the internet, which tightens the requirements for data security. The Act on Processing of Personal Data, the Executive Order on Security and the security guidelines describe a number of security measures, which must be met when processing personal data for the public administration. Below is a list of some of those security measures especially relevant to cloud solutions. It is noted that the list is not exhaustive but merely highlights some of the present measures in general: Personal data must be deleted after processing 2 European Network and Data Security Agency

By discarding or distribution of used data media it must be ensured that personal data is not accessible for unauthorised persons When transmitting data through the open internet, encryption of data is a minimum requirement Security for authentication (sender s and receiver s identity) and integrity (the validity of the transmitted data) must be secured to such extend as circumstances may require, e.g. by using a two-factor-authentication It must be ensured that only authorised users can access the system. Rejected access attempts must be monitored The Executive Order on Security, section 19 on logging must be observed. Page 8 of 13 If the data processor is located in other EU countries than Denmark the data processor must also comply with security requirements of the EU country in question, cfr. the Act on Processing of Personal Data, section 42, 2 and 3. 2.3.2 Data processor agreement When a data controller transfers data to a data processor the data controller must actively ensure that the data processor observes the necessary data security. E.g. it is required that a written agreement (a data processor agreement) is signed between the data controller and the data processor when personal data is transferred, cfr. the Act on Processing of Personal Data section 42, nr 2, 1 and the Executive Order on Security section 7. The agreement must state that the data processor solely act on instructions from the data controller. Furthermore, the agreement must state that the data processor must take the necessary technical and organisational security measures. If the data controller is a public authority, the data processor agreement must state, that the rules of the Executive Order on Security are observed by the data processor. 2.3.3 Cloud supplier outside the EU, including special rules for transfer to locations outside the EU The Act on Processing of Personal Data section 27 regulates when data may be transferred e.g. data processors in a third country (countries outside the EU/EEA). As a general rule, when personal data is transferred to third countries after section 27, the rules of the Act on Processing of Personal Data must still be met, cfr. section 27, nr 5. When using a cloud supplier outside the EU, the following possibilities are useable for transferring data to third countries: A. Transfer to a secure third country B. Safe Harbor agreement C. The Commission s model clauses on transferring data to third countries

A. Transfer to a secure third country The Act on Processing of Personal Data section 27, nr 1 states that data may only be transferred to a third country if the security level of the country in question is sufficient. Page 9 of 13 Per 15 th June 2010, the Commission has deemed the following third countries have a sufficient security level in general by either legislation or other precautionary measures: Switzerland, Canada (on a limited scale), Argentine, Guernsey, USA (on a limited scale), Isle of Man, Jersey, Faroe Islands, Andorra and Israel. The register over generally approved countries can be found on the Danish Data Protection Agency s website. Transfer of data to cloud suppliers in these countries may therefore be done in accordance with the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. B. The Safe Harbor Agreement As mentioned above data may only be transferred to a third country if the security level of the country in question is sufficient, cfr. the Act on Processing of Personal Data section 27, nr 1. The EU Commission has decided that American companies affiliated with the socalled Safe Harbor Agreement presumably meet sufficient protection level for personal data, transferred from EU to these companies. Transferring of personal data to such companies may therefore be done according to the Act on Processing of Personal Data section 27, nr 1. Such transfer does, in certain cases, require permission from the Danish Data Protection Agency cfr. the Act on Processing of Personal Data section 50, nr 2. C. The EU Commission s model clauses on transfer to third countries In those cases where the security level of the third country is not sufficient (and where the enumerated exceptions in the Act on Processing of Personal Data section 27, nr 3 does not render transference possible) the Danish Data Protection Agency may authorise transference of data to the third country. Such authorisation is conditioned on whether the data controller provides sufficient guaranties for protection of the rights of those registered. This is stated in the Act on Processing of Personal Data section 27, nr 4. The Commission has found that the requirement in section 27, nr 4 on requisite guaranties for sufficient protection of the rights of those registered, may appear in certain standard contractual clauses.

Provided that the data controller enters into an agreement with a cloud supplier on terms based on the Commission s model clauses, transfer of personal data to the cloud supplier may be authorised. Page 10 of 13 Furthermore, the model clauses provide the option that only one authorisation for transfer of personal data to a given data processor in a third country has to be obtained, even when the data processor uses sub-data processors also based in third countries. If the data processor is based within the EU and uses sub-data processors in a third country, transfer of personal data may happen if: The data controller within the EU enters into an agreement, with terms based on the standard contractual clauses of the Commission, directly with a sub-data processor in a third country, or The data controller authorises the data processor in the EU to agree terms with the sub-data processors in the name of and on behalf of the data controller. The Commission s model clauses are available on the Commissions website on the following link: http://ec.europa.eu/justice/policies/privacy/modelcontracts/index_en.htm Furthermore, reference is made to the information on transfer of information to third countries on the Danish Data Protection Agency s website. 2.3.4 Duty of notification The Act on Processing of Personal Data contains a principal rule that the Danish Data Protection Agency must be notified before processing of personal data is executed. In relation to the notification the Danish Data Protection Agency must, when the notification concerns personal data comprised by sections 7 and 8 issue an authorisation or a statement before the processing. This applies in relation to both cloud computing and other cases where personal data is processed. In most cases public authorities and private companies will have notified the Danish Data Protection Agency beforehand. If the IT-architecture that forms the basis for a solution is changed, e.g. if parts of the IT system are converted into cloud solutions, it is not always necessary to re-notify the Danish Data Protection Agency about the processing of personal data. In some cases, it will only be necessary to update the existing notification. Initially, it is up to the data controller to assess whether the previous notification remains valid or whether the conversion requires a new notification or an update of the current notification, e.g. when converting something into a cloud computing solution.

Page 11 of 13 Reference is made to the Act on Processing of Personal Data chapter 12 (sections 43-47) and the Danish Data Protection Agency s guidelines nr 125 of July 10th 2000 regarding notification of processing done on behalf of the public administration. Furthermore reference is made to the Act on Processing of Personal Data chapter 13 (sections 48-51) regarding notification of processing done on behalf of private data controllers. These documents can be found on the Danish Data Protection Agency s website www.datatilsynet.dk. It should also be noted, that transfer of personal data to third countries in certain cases require authorisation from the Danish Data Protection Agency, cfr. the Act on Processing of Personal Data section 50, nr 2. The duty of notification lies with the data controller even when the processing of personal according to a data processing agreement is carried out by a data processor. 2.4 Certain critical information When the data controller as a public authority process data of special interest to foreign powers precautions must be taken to ensure that the data can be disposed of or destroyed in the event of war or other such events, cfr. the Act on Processing of Personal Data section 41, nr 4. This rule primarily concerns data included in registers, which may be of special interest for a foreign power, e.g. to help find individuals with special training or education or special equipment like vehicles etc., which may help the foreign power in case of occupation etc. This rule the so-called war-rule entails that e.g. information from the Civil Register ( CPR-registret ), central tax registers and other special registers, in general must not be transferred to a data processor outside Denmark. Whether the data controlling authority in such case can to transfer personal data comprised by the Act on Processing of Personal Data section 41, nr 4 to a cloud supplier, relies on an individual assessment, firstly made by the data controller himself. If the data controller is in doubt, he may contact the Danish Data Protection Agency. 3. Other relevant legislation In this section, other legislation, which in some cases may be relevant to observe in relation to cloud computing, is presented.

3.1 The Bookkeeping Act (Bogføringsloven) The Bookkeeping Act 3 regulates the general minimum requirements for a company s bookkeeping. Page 12 of 13 According to the Bookkeeping Act section 10 financial records must be stored adequately secure for 5 years from the end of the financial year the records concern. This includes that the financial records during the entire storage period must be protected against theft, fire or other intended or unintended destruction or disposal insofar it is reasonable. If the records are stored digitally, continuous backup of the records must be made and the backup-copy must be revised in terms of readability. The basis of the Bookkeeping Act section 12 is that financial records must be stored in Denmark or in the Nordic countries 4. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark. It is not adequate having online access to the foreign server where the financial records are stored. If the financial records are stored on a foreign server (e.g. by a cloud service), it is, therefore, necessary to download a copy of the records electronically or make sure that a paper copy is available. The electronic copy must be placed on a server in Denmark and be retrievable, readable and printable without having to be processed. According to regulations of the Bookkeeping Act it will be adequate to make such copy (electronically or by paper) on a monthly basis. The regulations on financial records as a starting point must be stored in Denmark are i.a. based on the consideration that public authorities must be able to perform their tasks. The purpose of the storage requirements is to ensure that e.g. the Central Tax Administration (SKAT) has easy access to financial records in connection with inspection or investigation. The Danish Commerce and Companies Agency may subsequently to preceding application exempt from above requirements concerning storage of financial records in Denmark. The Danish Commerce and Companies Agency has based on above-mentioned considerations as yet only in special circumstances and by a number of additional conditions granted exemption for storing financial records exclusively abroad. In terms of appendices exemption for exclusive abroad storage cannot be granted. Financial records may at all times be stored abroad, provided that an exact copy of the financial records exists in Denmark, e.g. electronically. 3.2 The Audit Act (Regnskabsloven) The governmental accountancy is regulated according to the Audit Act and the Danish Executive Order on the Preparation of Financial Statements 5. 3 Consolidated act nr 648 of 15th June 2006. 4 Act nr 250 of 23rd March 2006 about storing financial records abroad 5 Act nr 131 of 28th March 1984 on the Government s accountancy etc.

Page 13 of 13 Similar to business enterprises, financial records for governmental institutions must be stored adequately secure for 5 years from the end of the financial year the records concern, unless longer respite appears from other legislation. The records must be kept, so that, during the entire storage period, independent and unequivocal retrieving of the records in question is possible cfr. section 44 of the Danish Executive Order on the Preparation of Financial Statements. The basis for the Audit Act section 45 is that financial records must be stored in Denmark. This applies to both physical appendixes and digital data. As by the Bookkeeping Act described above, this regulation means, that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper. The Agency for Governmental Management will be able to exempt from legislation in section 45 for institutions, which need to store financial records in the Nordic counties (Finland, Iceland, Norway and Sweden). 3.3 The Archive Act (Arkivloven) The Archive Act 6 and subjacent regulations concern public authorities archives. The Archive Act is only relevant in relation to cloud computing if an authority chooses to store or run its casework-system in a cloud solution. In such case the authority must observe the rules of the Archive Act. The Government s archives assume responsibility for preservation of the individual archives when these are transferred to the Government s archives cfr. section 8, nr 3. Until then authorities must make sure to observe archival considerations, including that archives are stored adequately secure cfr. section 8, nr 1. Furthermore, authorities must, according to section 8, nr 2, make sure, that archives stored digitally are kept so that they can be transferred to public archives. In depth regulations on archival considerations (cfr. section 8 nr 1) about processing, storage and discarding of government agencies archives can be found in the Danish Executive Order on the Preparation of Archives 7. 6 Consolidated act nr 1035 of 21st August 2007 7 Act nr 591 of 26 March 2003 on public archives and public archives activities.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information