<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Wonderful, and thanks so much for doing this Raphael!</p>
<p>Stephanie<br>
</p>
<div class="moz-cite-prefix">On 2020-05-18 1:23 p.m., Raphael
Beauregard-Lacroix wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPZSw-oJGdUpQvciAWUAw-M3W1ErP1X9NEUK5ZodjiYHs+Nmzg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi all
<div><br>
</div>
<div>So things are taken care of with Robhost without any
issues. I'll be in touch with Josh for the logistics of the
transfer and keep you in the loop.</div>
<div><br>
</div>
<div>Best, </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, May 14, 2020 at 7:15
PM Raphael Beauregard-Lacroix <<a
href="mailto:rbeauregardlacroix@gmail.com"
moz-do-not-send="true">rbeauregardlacroix@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi all
<div><br>
</div>
<div>So it turns out that the hosting provider used by Wapix
(Linode LLC) is GDPR compliant, at least to the extent
that they are part of Privacy Shield. I have plenty of
reservations about the scheme from an academic
perspective, but as far as positive law goes I guess that
still flies. </div>
<div><br>
</div>
<div>So if I don't have any further comments/oppositions
within the next 24h I will reach out tomorrow to Robhost
to request the termination.</div>
<div><br>
</div>
<div>Have a nice evening, </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, May 13, 2020 at
10:25 PM Raphael Beauregard-Lacroix <<a
href="mailto:rbeauregardlacroix@gmail.com"
target="_blank" moz-do-not-send="true">rbeauregardlacroix@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi all
<div><br>
</div>
<div>I've gotten a reply from Josh, I'll just have to
look into it a bit more. I was planning to do that
yesterday but things have been pretty hectic at home.
I should be back to you tomorrow with a clearer course
of action. </div>
<div><br>
</div>
<div>Have a nice evening,</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, May 9, 2020 at
12:45 PM Raphael Beauregard-Lacroix <<a
href="mailto:rbeauregardlacroix@gmail.com"
target="_blank" moz-do-not-send="true">rbeauregardlacroix@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Steph
<div><br>
</div>
<div>To be more specific (and succinct), I don't
read us in any of the exceptions of Art 2.2. Hence
what we do must be within the material scope;
being unincorporated or otherwise "informal" does
appear to change anything to me. And while the
bowling league might arguably fall within the
household exception, that exception is construed
quite strictly by the CJEU and I honestly don't
think we qualify. Mostly based on the fact that we
are a "we" (albeit informal) and not just one guy
keeping tabs on the bowling league folks in an
excel sheet. </div>
<div><br>
</div>
<div>As for Wapix I'd be surprised, but what I want
to make sure of is that they do not "do" anything
with the data on their own. If they simply take
our orders, then they are confined to the role of
processor. As long as Wapix does not plan or does
not seek to interpose anything between the
commitments we take and what they themselves do,
then I think they do not have to be "compliant."
But who knows - they might have some policy lying
somewhere that says they will comply anyway. They
might have European customers. </div>
<div><br>
</div>
<div>To be clear, I don't think their compliance
status matters so much, to the extent that they
don't anything else with the data besides what we
ask them to do for <i>our </i>purposes.</div>
<div><br>
</div>
<div>Have a nice day, </div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, May 9,
2020 at 12:04 PM Stephanie Perrin via NCSG-EC <<a
href="mailto:ncsg-ec@lists.ncsg.is"
target="_blank" moz-do-not-send="true">ncsg-ec@lists.ncsg.is</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div><br>
<br>
-------- Forwarded Message --------
<table cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap"
align="RIGHT">Subject: </th>
<td>Re: [NCSG-EC] Termination with our
current host, and GDPR issues re
transfer</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap"
align="RIGHT">Date: </th>
<td>Sat, 9 May 2020 12:00:57 -0400</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap"
align="RIGHT">From: </th>
<td>Stephanie Perrin <a
href="mailto:stephanie.perrin@mail.utoronto.ca"
target="_blank"
moz-do-not-send="true"><stephanie.perrin@mail.utoronto.ca></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap"
align="RIGHT">To: </th>
<td><a
href="mailto:ncsg-ec@lists.ncsg.is"
target="_blank"
moz-do-not-send="true">ncsg-ec@lists.ncsg.is</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<p>I am so sorry we delayed on this, Raphael!
My fault. <br>
</p>
<p>I rather doubt that a Colorado IT firm is
GDPR compliant. I also rather doubt that it
applies to NCSG as we are an informal
association. Not an NGO. So more like a
bowling league or a bridge club
(deliberately selecting 50's era clubs).
But if you think belonging to NCSG is a
covered activity, fire away, I am interested
in the legal reasoning. (this opinion of
course by means reflects my concerns about
our privacy policies, as yet not form<br>
</p>
<div>On 2020-05-09 11:46 a.m., Raphael
Beauregard-Lacroix via NCSG-EC wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi all
<div><br>
</div>
<div>So it is possible to terminate with
Robhost. The next bill (for 12 months)
is due on June 17th. The ToS posted on
their wesbite mention that we can
terminate by the end of the ongoing
billing term, subject to notice period
(unspecified). Now presuming German law
governs, that would be six weeks. Now if
you count, that means we'd be too late
already.</div>
<div><br>
</div>
<div>In addition, Tapani has raised an
issue regarding the GDPR-compliant
character of such a Germany-US data
transfer. After a few hours (re)reading
the GDPR and looking into this, it
appears to me that we NCSG as the
'controller' have to bind ourselves to
provide our (EU, at least) members with
their GDPR rights, wherever the data may
be. Given that we can do that, there is
no requirement for individualized
consent by each member. </div>
<div><br>
</div>
<div>That brings up another issue which is
that of Wapix as a processor (i.e. we
call the shots and they execute). They
have been, and will continue to be. Yet
they do have to abide by the GDPR when
it comes to their role as a processor of
personal data of EU persons. In turn, as
controllers, we have to make sure they
do. I do not know what their stance is
when it comes to GDPR compliance.
Couldnt find anything on their website;
in any case I have inquired with them
and they usually come back quickly.</div>
<div><br>
</div>
<div>So here's my plan: </div>
<div><br>
</div>
<div>-Ensure that everything is
GDPR-kosher on Wapix's side</div>
<div><br>
</div>
<div>-Attempt to negotiate a termination
with Robhost; hopefully we manage to
reach an alternative solution which does
not involve paying a full 12 months</div>
<div><br>
</div>
<div>-Make a post on the list regarding
the transfer, reminding our members of
1) who is controller, who is processor,
and what kind of processing is being
done, for what purposes, etc. 2)
reminding them of their rights and 3)
that the transfer will have no effect on
these processings and purposes, nor on
their rights, and so that we will abide
with any GDPR-bound request by any
member (and, for what it's worth, with
any DPA request, although honestly I
hope we never get there. But who knows!)</div>
<div><br>
</div>
<div><br>
</div>
<div>Let me know of any comments,
suggestions, issues, etc. And if you
care enough to have a more detailed
legal reasoning as to what our
obligations are I'll happily provide.</div>
<div><br>
</div>
<div>Have a nice day, </div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
NCSG-EC mailing list
<a href="mailto:NCSG-EC@lists.ncsg.is" target="_blank" moz-do-not-send="true">NCSG-EC@lists.ncsg.is</a>
<a href="https://lists.ncsg.is/mailman/listinfo/ncsg-ec" target="_blank" moz-do-not-send="true">https://lists.ncsg.is/mailman/listinfo/ncsg-ec</a>
</pre>
</blockquote>
</div>
</div>
_______________________________________________<br>
NCSG-EC mailing list<br>
<a href="mailto:NCSG-EC@lists.ncsg.is"
target="_blank" moz-do-not-send="true">NCSG-EC@lists.ncsg.is</a><br>
<a
href="https://lists.ncsg.is/mailman/listinfo/ncsg-ec"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.ncsg.is/mailman/listinfo/ncsg-ec</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>