[NCSG-EC] Fwd: Re: Termination with our current host, and GDPR issues re transfer

Raphael Beauregard-Lacroix rbeauregardlacroix at gmail.com
Sat May 9 19:45:37 EEST 2020 

Hi Steph

To be more specific (and succinct), I don't read us in any of the
exceptions of Art 2.2. Hence what we do must be within the material scope;
being unincorporated or otherwise "informal" does appear to change anything
to me. And while the bowling league might arguably fall within the
household exception, that exception is construed quite strictly by the CJEU
and I honestly don't think we qualify. Mostly based on the fact that we are
a "we" (albeit informal) and not just one guy keeping tabs on the bowling
league folks in an excel sheet.

As for Wapix I'd be surprised, but what I want to make sure of is that they
do not "do" anything with the data on their own. If they simply take our
orders, then they are confined to the role of processor. As long as Wapix
does not plan or does not seek to interpose anything between the
commitments we take and what they themselves do, then I think they do not
have to be "compliant." But who knows - they might have some policy lying
somewhere that says they will comply anyway. They might have European
customers.

To be clear, I don't think their compliance status matters so much, to the
extent that they don't anything else with the data besides what we ask them
to do for *our *purposes.

Have a nice day,



On Sat, May 9, 2020 at 12:04 PM Stephanie Perrin via NCSG-EC <
ncsg-ec at lists.ncsg.is> wrote:

>
>
>
> -------- Forwarded Message --------
> Subject: Re: [NCSG-EC] Termination with our current host, and GDPR issues
> re transfer
> Date: Sat, 9 May 2020 12:00:57 -0400
> From: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
> <stephanie.perrin at mail.utoronto.ca>
> To: ncsg-ec at lists.ncsg.is
>
> I am so sorry we delayed on this, Raphael!  My fault.
>
> I rather doubt that a Colorado IT firm is GDPR compliant.  I also rather
> doubt that it applies to NCSG as we are an informal association.  Not an
> NGO.  So more like a  bowling league or a bridge club (deliberately
> selecting 50's era clubs).  But if you think belonging to NCSG is a covered
> activity, fire away, I am interested in the legal reasoning.  (this opinion
> of course by means reflects my concerns about our privacy policies, as yet
> not form
> On 2020-05-09 11:46 a.m., Raphael Beauregard-Lacroix via NCSG-EC wrote:
>
> Hi all
>
> So it is possible to terminate with Robhost. The next bill (for 12 months)
> is due on June 17th. The ToS posted on their wesbite mention that we can
> terminate by the end of the ongoing billing term, subject to notice period
> (unspecified). Now presuming German law governs, that would be six weeks.
> Now if you count, that means we'd be too late already.
>
> In addition, Tapani has raised an issue regarding the GDPR-compliant
> character of such a Germany-US data transfer. After a few hours (re)reading
> the GDPR and looking into this, it appears to me that we NCSG as the
> 'controller' have to bind ourselves to provide our (EU, at least) members
> with their GDPR rights, wherever the data may be. Given that we can do
> that, there is no requirement for individualized consent by each member.
>
> That brings up another issue which is that of Wapix as a processor (i.e.
> we call the shots and they execute). They have been, and will continue to
> be. Yet they do have to abide by the GDPR when it comes to their role as a
> processor of personal data of EU persons. In turn, as controllers, we have
> to make sure they do. I do not know what their stance is when it comes to
> GDPR compliance. Couldnt find anything on their website; in any case I have
> inquired with them and they usually come back quickly.
>
> So here's my plan:
>
> -Ensure that everything is GDPR-kosher on Wapix's side
>
> -Attempt to negotiate a termination with Robhost; hopefully we manage to
> reach an alternative solution which does not involve paying a full 12 months
>
> -Make a post on the list regarding the transfer, reminding our members of
> 1) who is controller, who is processor, and what kind of processing is
> being done, for what purposes, etc. 2) reminding them of their rights and
> 3) that the transfer will have no effect on these processings and purposes,
> nor on their rights, and so that we will abide with any GDPR-bound request
> by any member (and, for what it's worth, with any DPA request, although
> honestly I hope we never get there. But who knows!)
>
>
> Let me know of any comments, suggestions, issues, etc. And if you care
> enough to have a more detailed legal reasoning as to what our obligations
> are I'll happily provide.
>
> Have a nice day,
>
> _______________________________________________
> NCSG-EC mailing listNCSG-EC at lists.ncsg.ishttps://lists.ncsg.is/mailman/listinfo/ncsg-ec
>
> _______________________________________________
> NCSG-EC mailing list
> NCSG-EC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-ec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-ec/attachments/20200509/0065e5bd/attachment.htm>

More information about the NCSG-EC mailing list