1 / 13

Personal data processed in cloud infrastructures: main legal aspects

Personal data processed in cloud infrastructures: main legal aspects. Avv. Enrico Pelino Attorney at Law at Bologna Bar, Italy Senior Associate at ICTlegalconsulting EPA fellow enrico.pelino@ictlegalconsulting.com. Personal data processed in cloud infrastructures main legal aspects.

williamsmargaret
Download Presentation

Personal data processed in cloud infrastructures: main legal aspects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Personal data processed in cloud infrastructures: main legal aspects Avv. Enrico Pelino Attorney at Law at Bologna Bar, Italy Senior Associate at ICTlegalconsulting EPA fellow enrico.pelino@ictlegalconsulting.com

  2. Personal data processed in cloud infrastructuresmain legal aspects Cloud computing raises significant issues in several legal areas • data protection and data security • competition-related issues • freedom of expression • intellectual property protection • ...

  3. Personal data processed in cloud infrastructuresmain legal aspects What are personal data and why are they significant in a research infrastracture? Some data + a natural person + connection (even indirect) between them = personal data

  4. Personal data processed in cloud infrastructuresmain legal aspects • which is the applicable national law? • are transfers of personal data to non-EU countries legitimate? • which set of security measures shall be applied? • Are data subjects granted rights to control their personal data? • Can the cloud provider be held liable? Main data protection issues

  5. Personal data processed in cloud infrastructuresmain legal aspects Applicable law • First: which is the data controller? • Second: is it established within the EU? Art. 29 Working Party’s notion of establishment • Third: does it uses equipment placed in the EU? • What really matters: the allocation of roles

  6. Personal data processed in cloud infrastructuresmain legal aspects Which set of applicable security measures? Art. 17(3) of Directive 95/46/EC • Establishment of the processor

  7. Personal data processed in cloud infrastructuresmain legal aspects Transfers of personal data to non-EU countries • Adequate level of protection (including organizations adhering to Safe Harbor ) Or: • Consent (or other cases set forth in art. 26(1) Dir 95/46/EC) • Contract (with data recipient) • ad hoc contract • model clauses • Binding corporate rules

  8. Personal data processed in cloud infrastructuresmain legal aspects The data subject’s rights • right to access • right to rectify • right to erasure/blocking • right to object forthcoming: • right to data portability • right to be notified of any serious breach of personal data • right to be forgotten • ...

  9. Personal data processed in cloud infrastructuresmain legal aspects Data controller’s liability Controller shall: • implement appropriate measures • ensure a level of security appropriate to the risks • choose a processor providing sufficient guarantees Controller is fully liable for compliance with those measures. Art. 23 Dir. 95/46/EC: • any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the controller for the damage suffered

  10. Personal data processed in cloud infrastructuresmain legal aspects Data controller’s accountability • Art. 29 WP’s opinion no. 3/2010 controllers shall: • put in place adequate and effective measures • demonstrate so to DPAs • Art. 29 WP’s opinion no. 5/2012 controllers shall: • demonstrate that they have acted as to implement data protection principles • Regulation art. 22

  11. Personal data processed in cloud infrastructuresmain legal aspects Any change in sight? The forthcoming Regulation on data protection • one common legal text instead of 27 legal texts • European citizenship as an additional criteria for applicable legislation • a more mature view of transparency, accountability, data subjects’ rights, ...

  12. Personal data processed in cloud infrastructuresmain legal aspects Protection of intellectual property and other assets • A robust contract • SLAs (PLAs) • Direct control over the cloud provider (e.g. control panels) • Access logs • Third party’s audit • Effective measures against vendor lock-in • ...

  13. Contact information ICT Legal Consulting is present in nine other European countries: Austria, Belgium, France, Germany, Greece, the Netherlands, Poland, Spain and United Kingdom.  Milan Via De Togni 14 Telefono: +39 02 84573267 Rome Piazza di San Salvatore in Lauro, 13 Telefono: +39 06 97842491 Bologna Via delle Lame 24 Telefono: +39 051 0491814

More Related