[et_\u200bpb_\u200bsection bb_built=\u201c1\u201d][et_pb_row][et_pb_column type=\u201c4_4\u201d][et_pb_text _builder_version=\u201c3.13.1\u201d]<\/p>\n
Per\u00adson\u00adal data breach con\u00adtracts and cloud ser\u00advices raise many ques\u00adtions with regards to GDPR, even though they only make up a frac\u00adtion of the aspects need\u00aded to be con\u00adsid\u00adered in the data pro\u00adtec\u00adtion reg\u00adu\u00adla\u00adtion. In this blog we will go through a few points on these sub\u00adjects that have raised the most ques\u00adtions with\u00adin our customers.<\/span><\/p>\n After the dis\u00adcov\u00adery of a data breach or with a jus\u00adti\u00adfi\u00adable rea\u00adson to sus\u00adpect a data breach, orga\u00adni\u00adza\u00adtions are legal\u00adly required to inform a super\u00advi\u00adso\u00adry author\u00adi\u00adty with\u00adin the fol\u00adlow\u00ading 72 hours. If the data breach is like\u00adly to lead to a seri\u00adous risk of com\u00adpro\u00admis\u00ading data sub\u00adjects\u2019 fun\u00adda\u00admen\u00adtal rights and free\u00addoms, the data sub\u00adjects must be informed and direct\u00aded to min\u00adi\u00admize damage.<\/span><\/p>\n The con\u00adceal\u00adment or neg\u00adli\u00adgence of dis\u00adcov\u00ader\u00ading the data breach results in the right for author\u00adi\u00adties to impose admin\u00adis\u00adtra\u00adtive penal\u00adties as stat\u00aded in the reg\u00adu\u00adla\u00adtion. In prac\u00adtice, the penal\u00adties are imposed through fines that take the cir\u00adcum\u00adstances of each data breach into con\u00adsid\u00ader\u00ada\u00adtion or by enforc\u00ading cor\u00adrec\u00adtive actions for per\u00adson\u00adal data processing.<\/span><\/p>\n The super\u00advis\u00ading author\u00adi\u00adty can also sus\u00adpend per\u00adson\u00adal data pro\u00adcess\u00ading. Sanc\u00adtions for data breach are also pos\u00adsi\u00adble in cas\u00ades where the con\u00adtroller has had suf\u00adfi\u00adcient encryp\u00adtion or pro\u00adtec\u00adtion of per\u00adson\u00adal data, but this encryp\u00adtion or pro\u00adtec\u00adtion has been unmain\u00adtained, poor\u00adly main\u00adtained or neglect\u00aded. More\u00adover, the suf\u00adfer\u00ading par\u00adty of the data breach has the right to seek com\u00adpen\u00adsa\u00adtion from the con\u00adtroller or the proces\u00adsor. There\u00adfore, it is more than wise to cre\u00adate a process for the pos\u00adsi\u00adble event of a data breach.<\/span><\/p>\n Near\u00adly all orga\u00adni\u00adza\u00adtions use out\u00adsourced ser\u00advices. Lia\u00adbil\u00adi\u00adty with regards to exter\u00adnal\u00adized ser\u00advice providers and the degree to which respon\u00adsi\u00adbil\u00adi\u00adty can be out\u00adsourced to a ser\u00advice provider remain unclear for many. It should be made clear that the con\u00adtroller is respon\u00adsi\u00adble for the pro\u00adcess\u00ading of per\u00adson\u00adal data and that respon\u00adsi\u00adbil\u00adi\u00adty can\u00adnot be outsourced.<\/span><\/p>\n The respon\u00adsi\u00adbil\u00adi\u00adty remains with the orga\u00adni\u00adza\u00adtion itself. Pos\u00adsi\u00adble com\u00adpen\u00adsa\u00adtion can be agreed upon sep\u00ada\u00adrate\u00adly. In this con\u00adtext, it is vital to have per\u00adson\u00adal data pro\u00adcess\u00ading respon\u00adsi\u00adbil\u00adi\u00adty and duty claus\u00ades stat\u00aded on con\u00adtracts made with ser\u00advice providers.<\/span><\/p>\n GDPR sets cer\u00adtain require\u00adments for the con\u00adtents of this con\u00adtract. If a com\u00adpa\u00adny has out\u00adsourced its data pro\u00adcess\u00ading to a third par\u00adty, it is rec\u00adom\u00admend\u00aded to review these con\u00adtracts and val\u00adi\u00addate that they com\u00adply with the data pro\u00adtec\u00adtion reg\u00adu\u00adla\u00adtion. Such an exter\u00adnal data proces\u00adsor can be, for instance, a com\u00adpa\u00adny pay\u00adroll ser\u00advice provider, a cloud ser\u00advice provider or an out\u00adsourced sales and mar\u00adket\u00ading agency.<\/span><\/p>\n Accord\u00ading to the reg\u00adu\u00adla\u00adtion, when out\u00adsourc\u00ading the pro\u00adcess\u00ading of per\u00adson\u00adal data, the con\u00adtroller (the one who man\u00addates to or on whose behalf the reg\u00adis\u00adter is cre\u00adat\u00aded) and the proces\u00adsor (the one who records, col\u00adlates, uses and\/\u200bor retains data) must for\u00admal\u00adly agree on at least the fol\u00adlow\u00ading aspects:<\/span><\/p>\n It is high\u00adly rec\u00adom\u00admend\u00aded to add ref\u00ader\u00adences that your orga\u00adni\u00adza\u00adtion will be GDPR com\u00adpli\u00adant by at least May of 2018 in all future contracts.<\/span><\/p>\n \u201cTyp\u00adi\u00adcal\u00adly, a pub\u00adlic cloud ser\u00advice provider retains the rights to change their terms of use as they wish includ\u00ading the right to trans\u00adfer data out\u00adside of the EU\/EEA area. So, how should one react to some\u00adthing like this?\u201d<\/span><\/p>\n Accord\u00ading to GDPR, the con\u00adtroller and the per\u00adson\u00adal data proces\u00adsor need to know where the per\u00adson\u00adal data is processed and stored. The option to trans\u00adfer data out\u00adside the Euro\u00adpean Eco\u00adnom\u00adic Area has been dras\u00adti\u00adcal\u00adly lim\u00adit\u00aded in the new reg\u00adu\u00adla\u00adtion. Cloud com\u00adput\u00ading ser\u00advices may use servers locat\u00aded out\u00adside the EU\/EEA area. Fur\u00adther\u00admore, cloud ser\u00advice providers\u2019 data pro\u00adcess\u00ading equip\u00adment may be con\u00adtrolled by ser\u00advice providers that come from out\u00adside the EU area. In this instance, the trans\u00adfer\u00adring of per\u00adson\u00adal data must take place with\u00adin the data trans\u00adfer\u00adring frame\u00adworks set in the data pro\u00adtec\u00adtion regulation.<\/span><\/p>\n As the intro\u00adduc\u00adtion of the new reg\u00adu\u00adla\u00adtion cre\u00adates new oblig\u00ada\u00adtions for com\u00adpa\u00adnies with added admin\u00adis\u00adtra\u00adtive work, the plan\u00adning and exe\u00adcu\u00adtion of GDPR com\u00adpli\u00adance should be start\u00aded as soon as pos\u00adsi\u00adble. The win\u00addow giv\u00aden to tran\u00adsi\u00adtion to GDRP is a year, mean\u00ading that the time to become GDPR com\u00adpli\u00adant is rather short. Now is the time to act. The analy\u00adsis of cur\u00adrent data secu\u00adri\u00adty and pro\u00adtec\u00adtion sta\u00adtus by an exter\u00adnal spe\u00adcial\u00adist is a rec\u00adom\u00admend\u00aded first step. We are more than hap\u00adpy to help you get ready for GDPR!<\/span><\/p>\nOut\u00adsourc\u00ading and responsibilities<\/strong><\/h2>\n
\n