Information Technology Reference
In-Depth Information
•
According to Article 34 (1) and (2) ”Prior authorization and prior con-
sultation”; the controller or the processor has to obtain an authorization
from the supervisory authority prior to the processing of personal data.
According to Article 35 (1); the controller and processor shall designate a
data protection ocer, if the processing is carried out by a public author-
ity or the processing is carried out by an enterprise with 250 employees
or more.
To ensure the effectiveness of these measures the controller has to imple-
ment mechanism for the verification. The verification shall be carried out by
independent internal or external auditors.
-
According to Article 24 ”Joint Controller”; if a controller decides to deter-
mine the purpose, conditions and means of processing personal data jointly
with others, the joint controllers have to determine the respective responsi-
bilities to comply with the regulation.
-
According to Article 26 ”Processor”; a controller shall choose a processor
providing sucient guarantees to implement appropriate technical and or-
ganizational measures as well as procedures in such a way that the processing
will comply with the regulation. The processing shall be governed by a con-
tract for binding the processor to the controller, in particular the processor
shall:
•
•
act only on instructions from the controller;
•
employ only reliable staff;
•
implement all required measures according to security of processing;
•
support the controller in complying to the data security obligations of
the regulation;
•
hand over all results after the end of the processing;
•
make available all information necessary to control compliance.
The controller and the processor have to document the controllers instructions
and the processor's obligations listed above. Important to mention is that if
a processor processes the data different than instructed by the controller, the
processor will be considered as controller according to that processing and has
to be applied to Article 24 ”Joint Controllers”. Moreover, the controller and the
processor and, if any, the representative of the controller, shall co-operate, on
request, with the supervisory authority in the performance of its duties.
3.3 Data Protection
The protection of data is a vital issue to make a cloud environment secure. A
service provider should possess the following points to fulfill data and information
protection requirements:
Data Center:
A high standard of protection requires the access to information
about data centers and the mechanism that are used to secure a data center.
The following points about data centers should be considered:
