ICTLC Paolo Balboni, Ph.D.

Transcription

1 Managing personal data protection compliance: Privacy Level Agreements (PLA V3 CoC) for cloud service providers CSA NL Summit Leiden, The Netherlands, 13 April2017 Paolo Balboni, Ph.D. Founding Partner at ICT Legal Consulting & President of the European Privacy Association paolo.balboni@ictlegalconsulting.com - pbalboni@europeanprivacyassociation.eu -

2 Agenda 1. Regulation (EU) 2016/679 (GDPR): compliance timeline & methodology 2. PLA_V3 CoC: a compliance tool with Regulation (EU) 2016/ Q&A 2

3 EU Data Protection Reform 2012 April 2016 May May Start of reform process aiming to align data protection laws of the EU s 28 Member States, and update rules for the digital age GDPR is enacted after years of difficult negotiations Text published in the OJEU - enters into force 20 days after publication GDPR applies throughout the EU after 2-year transition period Current legal framework based on Directive 95/46/EC inconsistent patchwork of national laws. GDPR objectives: high level of protection (maintains data protection principles), modernization, harmonization, more effective implementation 3

4 Accountability Rights of the data subject Data protection by design & by default Legitimate basis Simplified Data Processing Cycle Data protection impact assessment PLA V3 Informatio n to the data subject 4

5 CSA Privacy Level Agreement (PLA V3) Goal: - Provide CSPs a tool to achieve EU-wide data protection compliance with the GDPR - Provide cloud customer with a tool to evaluate CSP EUwide data protection compliance with the GDPR Structure: Follows EU actual and forthcoming Data Protection Law Considers differences between CSP-controller and CSPprocessor

6 PLA V2(V3) Table (Annex 1)

7 Accountability Rights of the data subject Data protection by design & by default Legitimate basis Simplified Data Processing Cycle Data protection impact assessment PLA V3 Information to the data subject 7

8 Thank you for your attention! Q&A Paolo Balboni, Ph.D. Founding Partner at ICT Legal Consulting & President of the European Privacy Association paolo.balboni@ictlegalconsulting.com - pbalboni@europeanprivacyassociation.eu ICT Legal Consulting - All rights reserved. This document or any portion thereof may not be reproduced, used or otherwise made available in any manner whatsoever without the express written permission of ICT Legal Consulting, except for the use permitted under applicable laws Milan - Bologna - Rome - Amsterdam 8

9 Paolo Balboni PAOLO BALBONI, Ph.D President of the European Privacy Association, Cloud Computing Sector Director and responsible for Foreign Affairs at the Italian Institute for Privacy, Lawyer admitted to the Milan Bar specialised in ICT, new technologies law and personal data protection. Lead Auditor BS ISO/IEC 27001:2013 (IRCA Certified). He provides legal advice to multinational companies, especially concerning personal data protection, e-contracts, e-commerce, e- marketing, advertising, cloud computing, Web 2.0 service providers' liability, Internet content providers liability, e-signatures, digital retention of documents and intellectual property rights. Balboni has considerable experience in Information Technologies including Cloud Computing, Big Data, Analytics, and the Internet of Things, Media and Entertainment, Healthcare, Fashion, Insurance, Banking, Anti Money Laundering (AML), and Counter-Terrorist Financing (CFT). Author of the book Trustmarks in E-commerce, Paolo Balboni is Visiting Expert at the Maastricht European Centre on Privacy and Cybersecurity and Research Associate at Tilburg University (The Netherlands). He was selected to be part of the drafting group of the European Union Commission Data Protection Code of Conduct for Cloud Service Providers (under Key Action 2: Safe and fair contract terms and conditions of the European Union Cloud Strategy). He co-chairs the Privacy Level Agreement (PLA) Working Group of Cloud Security Alliance and has acted as the legal counsel for the European Network and Information Security Agency (ENISA) projects on Cloud Computing Risk Assessment, Security and Resilience in Governmental Clouds, Procure Secure: A guide to monitoring of security service levels in cloud contracts and Common Assurance Maturity Model Beyond the Cloud (CAMM). He is actively involved in European Commission studies on new technologies and data protection. He obtained his Law Degree with distinction from the University of Bologna in 2002 and a Ph.D. from Tilburg University on Comparative ICT Law in He speaks fluent Italian, English and Dutch, and has good knowledge of French, Spanish and German. 9

10 ICT Legal Consulting ICT Legal Consulting is an Italian law firm with offices in Milan, Bologna, Rome and Amsterdam. The firm is present in 19 other countries: Australia, Austria, Belgium, Brazil, China, France, Germany, Greece, Mexico, Poland, Portugal, Romania, Russia, Slovakia, Spain, the United Kingdom the United States, Turkey and Hungary. 10

11 ICT Legal Consulting I Awards 11

12 ICT Legal Consulting I Contacts Milano Via Zaccaria, Milano - Italia Telefono: Fax: Bologna Via Ugo Bassi, Bologna - Italia Telefono: Fax: Roma Piazza di San Salvatore in Lauro, Roma - Italia Telefono: Fax: Amsterdam Veemkade, HE - Amsterdam - Paesi Bassi Telefono: +31 (0) Fax: +31 (0) ICTLC ICT Legal Consulting is present in 19 other countries: Australia, Austria, Belgium, Brasil, China, France, Germany, Greece, Mexico, Poland, Portugal, United Kingdom, Romania, Russia, Slovakia, Spain, United States, Turkey, Hungary Follow us on: contact info@ictlegalconsulting.com Skype contact Ict.legal.consulting 12