We talked about the importance of the Cloud Computing has and will in our lives and in general risks, but I would like itemize in specific areas.
Problem description
The use of cloud computing, the user manages their data outside their computer terminal and these are stored on servers in second or even third parties. This obviously involves risks that we saw in the post about risks of cloud computing .
You have the right to:
1. Provide information concerning your personal data (see, modify or delete it.)
2. Aware at all times quien tiene esos datos, donde y con que finalidad.
Este último aspecto puede ser un problema ya que nos encontramos que los datos no los trata la empresa con la que hemos contratado o suscrito un servicio, sino un tercero. ¿Quien es entonces el responsable? ¿En que medida? ¿Pueden estos datos acabar en un país con un nivel de protección menor?
La LOPD y su ámbito de aplicación
El art. 2 de la Ley Orgánica de Protección de Datos (LOPD) y su reglamento aprobado por el Real Decree 1720/2007 on the art. 3 down its scope and will any comments regarding cloud computing:
- When the processing is carried out on English territory in the framework of the activities of an establishment of treatment .
What is a settlement in the case of cloud computing? The article seems to refer to a physical processing center, which can be as irrelevant in the case of cloud computing.
- When the controller is not established on English territory, it is applicable English law under public international law rules.
For interpretation of the following paragraph is limited to the community level subject to Directive 95/46/EC.
- When the controller is not established in the territory of the European Union and used in the data processing means located in English territory, unless that such equipment is used only for transit purposes.
Working Paper WP56 2002 of the Working Group on Article 29 and stated that the use of cookies (stored on the user's computer) was used to considered medium used for transit.
- Where the establishment is not located in English territory, but but there is a processor located in Spain, will apply the same rules contained in Title VIII of these rules.
"If the controller is not established in the territory of the European Union, but uses equipment situated in English territory, the controller must designate a representative established in English territory.
be easier to identify effective the perpetrator.
establishment "And you have to understand any equipment providing effective and real exercise of
activity, regardless of the legal form.
activity, regardless of the legal form.
Thus, the determination of this well defined legally responsible, which does not mean it's easy or even possible effectively in all cases, but what happens when the data is processed by a third party?
Art. 12 of the Data Protection Act and the arts. 20 to 22 of the Regulation governing the relationship between the responsible and that third party.
The transfer of data is lawfully admitted into the 12.1 " not consider data communication access by a third party data when such access is necessary for the provision of a service controller "by a contract specifying" only process the data according to the instructions of the controller, which does not apply or use them for purposes other than those listed in the contract, nor shall, not even for conservation, others .
20.2 The art tells us that shall be responsible for the treatment to be sure that the third party concerned does this data in accordance with regulations, even if this third enabled by the controller himself, outsourced to another company for that function.
That is, we still have the responsibility to identify and this will be tried in Spain.
In brief, a reference to the International Data.
To learn more:
PDPA PDF and HTML
0 comments:
Post a Comment