<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>Re: [NCSG-EC] Termination with our current host, and
GDPR issues re transfer</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Sat, 9 May 2020 12:00:57 -0400</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Stephanie Perrin
<a class="moz-txt-link-rfc2396E" href="mailto:stephanie.perrin@mail.utoronto.ca"><stephanie.perrin@mail.utoronto.ca></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:ncsg-ec@lists.ncsg.is">ncsg-ec@lists.ncsg.is</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I am so sorry we delayed on this, Raphael! My fault. <br>
</p>
<p>I rather doubt that a Colorado IT firm is GDPR compliant. I
also rather doubt that it applies to NCSG as we are an informal
association. Not an NGO. So more like a bowling league or a
bridge club (deliberately selecting 50's era clubs). But if you
think belonging to NCSG is a covered activity, fire away, I am
interested in the legal reasoning. (this opinion of course by
means reflects my concerns about our privacy policies, as yet
not form<br>
</p>
<div class="moz-cite-prefix">On 2020-05-09 11:46 a.m., Raphael
Beauregard-Lacroix via NCSG-EC wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPZSw-r2yK9yro5xD8EMCUR4_fa8Jn+cb4iycW58cv+xvK5-7Q@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div dir="ltr">Hi all
<div><br>
</div>
<div>So it is possible to terminate with Robhost. The next
bill (for 12 months) is due on June 17th. The ToS posted on
their wesbite mention that we can terminate by the end of
the ongoing billing term, subject to notice period
(unspecified). Now presuming German law governs, that would
be six weeks. Now if you count, that means we'd be too late
already.</div>
<div><br>
</div>
<div>In addition, Tapani has raised an issue regarding the
GDPR-compliant character of such a Germany-US data transfer.
After a few hours (re)reading the GDPR and looking into
this, it appears to me that we NCSG as the 'controller' have
to bind ourselves to provide our (EU, at least) members with
their GDPR rights, wherever the data may be. Given that we
can do that, there is no requirement for individualized
consent by each member. </div>
<div><br>
</div>
<div>That brings up another issue which is that of Wapix as a
processor (i.e. we call the shots and they execute). They
have been, and will continue to be. Yet they do have to
abide by the GDPR when it comes to their role as a processor
of personal data of EU persons. In turn, as controllers, we
have to make sure they do. I do not know what their stance
is when it comes to GDPR compliance. Couldnt find anything
on their website; in any case I have inquired with them and
they usually come back quickly.</div>
<div><br>
</div>
<div>So here's my plan: </div>
<div><br>
</div>
<div>-Ensure that everything is GDPR-kosher on Wapix's side</div>
<div><br>
</div>
<div>-Attempt to negotiate a termination with Robhost;
hopefully we manage to reach an alternative solution which
does not involve paying a full 12 months</div>
<div><br>
</div>
<div>-Make a post on the list regarding the transfer,
reminding our members of 1) who is controller, who is
processor, and what kind of processing is being done, for
what purposes, etc. 2) reminding them of their rights and 3)
that the transfer will have no effect on these processings
and purposes, nor on their rights, and so that we will abide
with any GDPR-bound request by any member (and, for what
it's worth, with any DPA request, although honestly I hope
we never get there. But who knows!)</div>
<div><br>
</div>
<div><br>
</div>
<div>Let me know of any comments, suggestions, issues, etc.
And if you care enough to have a more detailed legal
reasoning as to what our obligations are I'll happily
provide.</div>
<div><br>
</div>
<div>Have a nice day, </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
NCSG-EC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:NCSG-EC@lists.ncsg.is" moz-do-not-send="true">NCSG-EC@lists.ncsg.is</a>
<a class="moz-txt-link-freetext" href="https://lists.ncsg.is/mailman/listinfo/ncsg-ec" moz-do-not-send="true">https://lists.ncsg.is/mailman/listinfo/ncsg-ec</a>
</pre>
</blockquote>
</div>
</body>
</html>