Information Technology Reference
In-Depth Information
”Representative”
means any natural or legal person established in the Eu-
ropean Union who, explicitly designated by the controller, acts and may be ad-
dressed by any supervisory authority and other bodies in the EU instead of the
controller, with regard to the obligations of the controller under this regulation.
”Processor”
means a natural or legal person, public authority, agency or any
other body which processes personal data on behalf of the controller.
”Main establishment”
means the controller's place of establishment in the
European Union where the main decisions as to the purposes, conditions and
means of the processing of personal data are taken; if no decisions as to the
purposes, conditions and means of the processing of personal data are taken in
the European Union, the main establishment is the place where the main pro-
cessing activities in the context of the activities of an controller's establishment
in the EU take place. The processor's 'main establishment' means the place of
its central administration in the EU.
”Processing”
means any operation or set of operations which is performed
upon personal data or sets of personal data, whether or not by automated means,
such as collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, erasure or destruction.
2.2 Territorial Scope
The EU regulation will apply on the processing of personal data in the context
of activities of an establishment of a controller or a processor in the EU. It also
applies on the processing of personal data of data subjects residing in the EU by
controllers not established in the EU, where the processing activities are related
to:
-
The offering of goods or services to such data subjects in the EU, or
-
the monitoring of their behavior.
3 Evaluation Framework
This section presents an evaluation framework for organizations which decide to
outsource part of their IT to a cloud service provider. The framework should help
to decide if a cloud provider can be assumed as reliable. The areas of relevance
are based on the provided information from widely accepted institutions such as
NIST or the Cloud Security Alliance. The concerns and risks of these areas are
linked with the upcoming EU data protection regulation to understand what a
company and provider has to mind and implement to comply with the proposed
regulation. The framework highlights the responsibilities for both provider and
user.
The different areas of relevance have been already analyzed in the literature.
NIST summarized security and privacy issues and recommendations an orga-
nization should follow in their ”Guidelines on Security and Privacy in Public
