Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Published byTabitha O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014."— Presentation transcript:

1 1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Data transfers to third countries and standard contractual clauses Manuel Villaseca CISA, CISM Spanish Data Protection Agency

2 2 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  International data transfers  Legal status of participants in a typical cloud scenario  Changes in a cloud model  Alternatives for international data transfers in the cloud

3 3 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 INTERNATIONAL DATA TRANSFERS  TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION  US organisations adhering to Safe Harbour Agreement  TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION

4 4 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 SAFE HARBOUR PROVISIONS The Commission recognises that US organisations adhering to Safe Harbour principles have an adequate level of protection (Decission 2000/520/EC). It does require a service-provision contract (FAQ 10 of Decission 2000/520/EC) The service-provision contract may authorise subcontracting The Safe Harbour onward transfer principle obliges service providers to subcontract other organisations adhering to Safe Harbour principles, or to draw up a contract enforcing compliance with data protection principles (linking of safeguards) WP 29 warning on Safe Harbour certificationto companies exporting data (WP 196)

5 5 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 WITHOUT AN ADEQUATE LEVEL OF PROTECTION  The controller adduces ADEQUATE SAFEGUARDS with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights (Art 26.2 Directive 95/46 CE)  One of the exceptioned situations (derogations) provided for in Article 26.1 Directive 95/46 EC takes place.

6 6 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 ADEQUATE SAFEGUARDS  The data exporter and data importer have concluded a contract using one of the three sets of Standard Contractual Clauses approved by the European commission.  A multinational corporation has adopted Binding Corporate Rules for transfers of personal data.  The data exporter and data importer have concluded a contract which includes appropriate contractual clauses (ad hoc) relating to data protection and the supervisory authority of the member state has accepted these clauses.

7 7 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Sets of Standard Contractual Clauses approved by the European commission:  Standard Contractual Clauses from controller/exporter to controller/importer (Business clauses) - European Commission Decision 2001/497EC - European Commission Decision 2004/915 EC  Standard Contractual Clauses from controller/exporter to processor/ importer -European Commission Decision 2002/16 EC (Derogated) -European Commission Decision 2010/87 EC

8 8 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  Member states recognise standard clauses as providing adequate safeguards  The law of member states must be observed prior to the transfer  Additional clauses are possible as long as they do not contradit SCC  No amendments and changes are allowed  A further authorisation depends on the member states legislation  Depositi of the contract depends on the member states legislation  Prohibition or suspension of international data transfers based on SCC

9 9 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STANDARD CONTRACTUAL CLAUSES FROM CONTROLLER/EXPORTER TO PROCESSOR/IMPORTER - European Commission Decision 2002/16 EC (Derogated) -European Commission Decision 2010/87 EU –Customer call centers –Online marketing –Administrative work services –Hosting activities –Technical support of the data base

10 10 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STRUCTURE Decision 2010/87 EU 4 Articles 12 Standard Contractual Clauses Appendix 1: Minimun information about the transfer Appendix 2: Security Measures implemented by the data importer

11 11 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STANDARD CONTRACTUAL CLAUSES CONTENT Decision 2010/87 EU Definitions Data exporter obligations Data importer obligations Sub-processing: -Prior written consent of the data exporter -Written agreement with the sub-processor -List of sub-processing agreement updated at least once a year and available to the data exporter’s data protection supervisory authority

12 12 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Safeguards Decision 2010/87 EU -Third party beneficiary clause -Liablility: compensation for damages -Disputes: mediation or courts in the Member State in which the data exporter is established.

13 13 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION To third countries without an adequate level of protection the transfers may take place: –Binding corporate rules –Standard Data Protection Clauses adopted by the Commission –Standard Data Protection Clauses adopted by a Supervisory Authority –Contractual Clauses between the controller or processor and the recipient of the data authorised by a Supervisory Authority

14 14 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 The customer as data controller: –Determines the purpose, content and use of the processing Determines whether to choose cloud computing (total or partial) Determines the type of cloud computing (especially regarding International Data Transfers) Determines the cloud computing service types –Responsible for the processing of personal data (cannot be delegated) –CCP as data processor LEGAL STATUS OF PARTICIPANTS

15 15 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 The traditional controller/processor relationship does not fit the cloud computing model –Instructions from the controller to the processor –Non-communication to third parties even for preservation –Specification of security measures to be implemented by the processor –Data destroyed or returned once the service has been provided

16 16 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Diligence required from the controller Ensure that the processor complies with the required guarantees Obtain information on contractual safeguards Diligently exercise the function of data controller vis-à- vis data subjects –Portability –Exercise of data subject rights

17 17 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Diligence required by the processor –Detailed information on the type of cloud computing and the services it offers (type of cloud, type of services, participants in the provision of services, IDTs) –Information on security measures (levels of security, audit, encryption, security incidents). –Information on portability

18 18 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Decision 2010/87 (Recital 23) Contractual framework that comprises two agreements Controller-processor agreement: –Signed on a case-by-case basis by the controller/customer (Framework contract) in acordance with the applicable data protection law –Reference to contractual safeguards authorised for IDTs Draft Ad hoc contractual clauses “EU data processor to non- EU sub-processor” WP214

19 19 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Decision 2010/87 safeguards adapted: Applicable law: Law of the controller Information on subsequent sub-processors Third-party beneficiary clause Cooperation with the DPA Possibility of authorising general contracting terms and conditions adapted to cloud-computing business models (EU main data controller, third-country main processor and third-country sub-processors) PROCESSOR - SUB-PROCESSOR SUBCONTRACTING

20 20 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  Customer as controller and CSP as processor  Safeguards in an ad hoc contract based on the guaranties provided by SCC 2020/87/EU (WP 196)  Safeguards adapted to cloud business model: o A single contract by subcontractor o Transparency to the customer about sub processors. o Possibility to object new subcontractors  Security measures  Auditing  Portability Possible modalities adapted to Cloud Services

Download ppt "1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014."

Similar presentations

Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.

Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.
1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
International Treaty in EU PIL

International Treaty in EU PIL
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Per Anders Eriksson

Per Anders Eriksson
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
TAIEX Seminar on the Directive on Services in the Internal Market Warsaw, 31.03.2008 Freedom to Provide Services Clause Article 16 Sophie Malétras.

TAIEX Seminar on the Directive on Services in the Internal Market Warsaw, Freedom to Provide Services Clause Article 16 Sophie Malétras.
Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
ENTERPRISE AND INDUSTRY DIRECTORATE GENERAL European Commission 1 PECAs David Eardley DG Enterprise and Industry European Commission Tel: 032 (2) 296 5446.

ENTERPRISE AND INDUSTRY DIRECTORATE GENERAL European Commission 1 PECAs David Eardley DG Enterprise and Industry European Commission Tel: 032 (2)
Processing on behalf of the controller Joint control under Regulation 45/2001.

Processing on behalf of the controller Joint control under Regulation 45/2001.

Similar presentations

Ads by Google