Information Technology Reference
In-Depth Information
client
26
to his national data protection authority), preferably annexed to the SLA,
aimed to regulate some specific privacy issues related to the processing of the data
provided by each client. In particular, this contract shall describe the modalities
of the processing of the data provided by the customer (and with this regard the
fact that a Grid/Cloud-based delivery model is adopted, this should be explicitly
mentioned), list the security measures applied by
SaaSforyou
and the employees
that have access to the data. A fundamental point is also the proxy to subcontract
the processing of the data to other companies, like
SuperICTResources
. Without this
proxy, which can refer to a specific technology provider or to a list of Grid/Cloud
suppliers,
SaaSforyou
cannot outsource the processing of data to another party, i.e.
cannot send the customers' data to
SuperICTResources
in order to deliver back the
service. This is a very important aspect to highlight, especially in the field of SaaS,
provided that the SaaS paradigm relies on the involvement of a technology provider
in order to deliver services
27
.
Furthermore, if the Grid/Cloud supplier is established in an EU-Member State
or in another non-European country that has been acknowledged by the European
Commission or the competent national data protection authority as providing an
adequate level of protection, there are no particular problems, given the fact that
such level of protection to the processed data is supposed to be similar. Things are
different if the technology provider is located in a third country (like the United
States): in this case the specific regime regulating international transfers of personal
data applies and, provided that this involves additional obligations for both control-
lers and processors, specific contracts may need to be signed based on the model
contracts published by the European Commission to that effect
28
. Those contracts
are expected to be 'automatically' accepted, when notified, by the national data
protection authorities of the Member States. From a different perspective, it is also
advisable that
SaaSforyou
communicates to its clients if the Grid/Cloud provider
changes, preferably in written form submitting to the customers a proposal of
addendum to/modification of the abovementioned privacy contract (please be aware
that this applies also when the Grid or Cloud provider/sub-contractor is based in
the EU).
Apart from that, another privacy contract shall be signed by the customer/
service provider (i.e.
SaaSforyou
) and the Grid/Cloud provider. A trilateral agree-
ment between service provider/technology supplier/end user is also theoretically
possible, although quite unrealistic. This contract, to be notified, if such notification
is required by the applicable national legislation, to the data protection authority of
26
Art. 4 of the Data Protection Directive states basically that the place of establishment of the
data controller determines the national law applicable to the processing of the data.
27
In other words: any transfer of personal data between parties involves the signing of a
contract regulating privacy obligations of the parties. This includes onward transfers to
third parties that should always be notified to counterparts. This point is pivotal in so far as
the controller may be subject to an obligation of notification of such transfer to the national
data protection authority.
28
See http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (retrieved
27/2/2009).
