[NCSG-EC] Fwd: Re: Termination with our current host, and GDPR issues re transfer

Raphael Beauregard-Lacroix rbeauregardlacroix at gmail.com
Thu May 14 05:25:42 EEST 2020 

Hi all

I've gotten a reply from Josh, I'll just have to look into it a bit more. I
was planning to do that yesterday but things have been pretty hectic at
home. I should be back to you tomorrow with a clearer course of action.

Have a nice evening,

On Sat, May 9, 2020 at 12:45 PM Raphael Beauregard-Lacroix <
rbeauregardlacroix at gmail.com> wrote:

> Hi Steph
>
> To be more specific (and succinct), I don't read us in any of the
> exceptions of Art 2.2. Hence what we do must be within the material scope;
> being unincorporated or otherwise "informal" does appear to change anything
> to me. And while the bowling league might arguably fall within the
> household exception, that exception is construed quite strictly by the CJEU
> and I honestly don't think we qualify. Mostly based on the fact that we are
> a "we" (albeit informal) and not just one guy keeping tabs on the bowling
> league folks in an excel sheet.
>
> As for Wapix I'd be surprised, but what I want to make sure of is that
> they do not "do" anything with the data on their own. If they simply take
> our orders, then they are confined to the role of processor. As long as
> Wapix does not plan or does not seek to interpose anything between the
> commitments we take and what they themselves do, then I think they do not
> have to be "compliant." But who knows - they might have some policy lying
> somewhere that says they will comply anyway. They might have European
> customers.
>
> To be clear, I don't think their compliance status matters so much, to the
> extent that they don't anything else with the data besides what we ask them
> to do for *our *purposes.
>
> Have a nice day,
>
>
>
> On Sat, May 9, 2020 at 12:04 PM Stephanie Perrin via NCSG-EC <
> ncsg-ec at lists.ncsg.is> wrote:
>
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: Re: [NCSG-EC] Termination with our current host, and GDPR
>> issues re transfer
>> Date: Sat, 9 May 2020 12:00:57 -0400
>> From: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
>> <stephanie.perrin at mail.utoronto.ca>
>> To: ncsg-ec at lists.ncsg.is
>>
>> I am so sorry we delayed on this, Raphael!  My fault.
>>
>> I rather doubt that a Colorado IT firm is GDPR compliant.  I also rather
>> doubt that it applies to NCSG as we are an informal association.  Not an
>> NGO.  So more like a  bowling league or a bridge club (deliberately
>> selecting 50's era clubs).  But if you think belonging to NCSG is a covered
>> activity, fire away, I am interested in the legal reasoning.  (this opinion
>> of course by means reflects my concerns about our privacy policies, as yet
>> not form
>> On 2020-05-09 11:46 a.m., Raphael Beauregard-Lacroix via NCSG-EC wrote:
>>
>> Hi all
>>
>> So it is possible to terminate with Robhost. The next bill (for 12
>> months) is due on June 17th. The ToS posted on their wesbite mention that
>> we can terminate by the end of the ongoing billing term, subject to notice
>> period (unspecified). Now presuming German law governs, that would be six
>> weeks. Now if you count, that means we'd be too late already.
>>
>> In addition, Tapani has raised an issue regarding the GDPR-compliant
>> character of such a Germany-US data transfer. After a few hours (re)reading
>> the GDPR and looking into this, it appears to me that we NCSG as the
>> 'controller' have to bind ourselves to provide our (EU, at least) members
>> with their GDPR rights, wherever the data may be. Given that we can do
>> that, there is no requirement for individualized consent by each member.
>>
>> That brings up another issue which is that of Wapix as a processor (i.e.
>> we call the shots and they execute). They have been, and will continue to
>> be. Yet they do have to abide by the GDPR when it comes to their role as a
>> processor of personal data of EU persons. In turn, as controllers, we have
>> to make sure they do. I do not know what their stance is when it comes to
>> GDPR compliance. Couldnt find anything on their website; in any case I have
>> inquired with them and they usually come back quickly.
>>
>> So here's my plan:
>>
>> -Ensure that everything is GDPR-kosher on Wapix's side
>>
>> -Attempt to negotiate a termination with Robhost; hopefully we manage to
>> reach an alternative solution which does not involve paying a full 12 months
>>
>> -Make a post on the list regarding the transfer, reminding our members of
>> 1) who is controller, who is processor, and what kind of processing is
>> being done, for what purposes, etc. 2) reminding them of their rights and
>> 3) that the transfer will have no effect on these processings and purposes,
>> nor on their rights, and so that we will abide with any GDPR-bound request
>> by any member (and, for what it's worth, with any DPA request, although
>> honestly I hope we never get there. But who knows!)
>>
>>
>> Let me know of any comments, suggestions, issues, etc. And if you care
>> enough to have a more detailed legal reasoning as to what our obligations
>> are I'll happily provide.
>>
>> Have a nice day,
>>
>> _______________________________________________
>> NCSG-EC mailing listNCSG-EC at lists.ncsg.ishttps://lists.ncsg.is/mailman/listinfo/ncsg-ec
>>
>> _______________________________________________
>> NCSG-EC mailing list
>> NCSG-EC at lists.ncsg.is
>> https://lists.ncsg.is/mailman/listinfo/ncsg-ec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-ec/attachments/20200513/a4b4c489/attachment.htm>

More information about the NCSG-EC mailing list