1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Data transfers to third countries and standard contractual clauses Manuel Villaseca CISA, CISM Spanish Data Protection Agency

2 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  International data transfers  Legal status of participants in a typical cloud scenario  Changes in a cloud model  Alternatives for international data transfers in the cloud

3 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 INTERNATIONAL DATA TRANSFERS  TO THIRD COUNTRIES WITH AN ADEQUATE LEVEL OF PROTECTION  US organisations adhering to Safe Harbour Agreement  TO THIRD COUNTRIES WITHOUT AN ADEQUATE LEVEL OF PROTECTION

4 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 SAFE HARBOUR PROVISIONS The Commission recognises that US organisations adhering to Safe Harbour principles have an adequate level of protection (Decission 2000/520/EC). It does require a service-provision contract (FAQ 10 of Decission 2000/520/EC) The service-provision contract may authorise subcontracting The Safe Harbour onward transfer principle obliges service providers to subcontract other organisations adhering to Safe Harbour principles, or to draw up a contract enforcing compliance with data protection principles (linking of safeguards) WP 29 warning on Safe Harbour certificationto companies exporting data (WP 196)

5 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 WITHOUT AN ADEQUATE LEVEL OF PROTECTION  The controller adduces ADEQUATE SAFEGUARDS with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights (Art 26.2 Directive 95/46 CE)  One of the exceptioned situations (derogations) provided for in Article 26.1 Directive 95/46 EC takes place.

6 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 ADEQUATE SAFEGUARDS  The data exporter and data importer have concluded a contract using one of the three sets of Standard Contractual Clauses approved by the European commission.  A multinational corporation has adopted Binding Corporate Rules for transfers of personal data.  The data exporter and data importer have concluded a contract which includes appropriate contractual clauses (ad hoc) relating to data protection and the supervisory authority of the member state has accepted these clauses.

7 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Sets of Standard Contractual Clauses approved by the European commission:  Standard Contractual Clauses from controller/exporter to controller/importer (Business clauses) - European Commission Decision 2001/497EC - European Commission Decision 2004/915 EC  Standard Contractual Clauses from controller/exporter to processor/ importer -European Commission Decision 2002/16 EC (Derogated) -European Commission Decision 2010/87 EC

8 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  Member states recognise standard clauses as providing adequate safeguards  The law of member states must be observed prior to the transfer  Additional clauses are possible as long as they do not contradit SCC  No amendments and changes are allowed  A further authorisation depends on the member states legislation  Depositi of the contract depends on the member states legislation  Prohibition or suspension of international data transfers based on SCC

9 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STANDARD CONTRACTUAL CLAUSES FROM CONTROLLER/EXPORTER TO PROCESSOR/IMPORTER - European Commission Decision 2002/16 EC (Derogated) -European Commission Decision 2010/87 EU –Customer call centers –Online marketing –Administrative work services –Hosting activities –Technical support of the data base

10 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STRUCTURE Decision 2010/87 EU 4 Articles 12 Standard Contractual Clauses Appendix 1: Minimun information about the transfer Appendix 2: Security Measures implemented by the data importer

11 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 STANDARD CONTRACTUAL CLAUSES CONTENT Decision 2010/87 EU Definitions Data exporter obligations Data importer obligations Sub-processing: -Prior written consent of the data exporter -Written agreement with the sub-processor -List of sub-processing agreement updated at least once a year and available to the data exporter’s data protection supervisory authority

12 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Safeguards Decision 2010/87 EU -Third party beneficiary clause -Liablility: compensation for damages -Disputes: mediation or courts in the Member State in which the data exporter is established.

13 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 PROPOSAL FOR A GENERAL DATA PROTECTION REGULATION To third countries without an adequate level of protection the transfers may take place: –Binding corporate rules –Standard Data Protection Clauses adopted by the Commission –Standard Data Protection Clauses adopted by a Supervisory Authority –Contractual Clauses between the controller or processor and the recipient of the data authorised by a Supervisory Authority

14 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 The customer as data controller: –Determines the purpose, content and use of the processing Determines whether to choose cloud computing (total or partial) Determines the type of cloud computing (especially regarding International Data Transfers) Determines the cloud computing service types –Responsible for the processing of personal data (cannot be delegated) –CCP as data processor LEGAL STATUS OF PARTICIPANTS

15 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 The traditional controller/processor relationship does not fit the cloud computing model –Instructions from the controller to the processor –Non-communication to third parties even for preservation –Specification of security measures to be implemented by the processor –Data destroyed or returned once the service has been provided

16 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Diligence required from the controller Ensure that the processor complies with the required guarantees Obtain information on contractual safeguards Diligently exercise the function of data controller vis-à- vis data subjects –Portability –Exercise of data subject rights

17 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Diligence required by the processor –Detailed information on the type of cloud computing and the services it offers (type of cloud, type of services, participants in the provision of services, IDTs) –Information on security measures (levels of security, audit, encryption, security incidents). –Information on portability

18 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Decision 2010/87 (Recital 23) Contractual framework that comprises two agreements Controller-processor agreement: –Signed on a case-by-case basis by the controller/customer (Framework contract) in acordance with the applicable data protection law –Reference to contractual safeguards authorised for IDTs Draft Ad hoc contractual clauses “EU data processor to non- EU sub-processor” WP214

19 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014 Decision 2010/87 safeguards adapted: Applicable law: Law of the controller Information on subsequent sub-processors Third-party beneficiary clause Cooperation with the DPA Possibility of authorising general contracting terms and conditions adapted to cloud-computing business models (EU main data controller, third-country main processor and third-country sub-processors) PROCESSOR - SUB-PROCESSOR SUBCONTRACTING

20 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014  Customer as controller and CSP as processor  Safeguards in an ad hoc contract based on the guaranties provided by SCC 2020/87/EU (WP 196)  Safeguards adapted to cloud business model: o A single contract by subcontractor o Transparency to the customer about sub processors. o Possibility to object new subcontractors  Security measures  Auditing  Portability Possible modalities adapted to Cloud Services