[NCSG-EC] Fwd: Re: Termination with our current host, and GDPR issues re transfer
Raphael Beauregard-Lacroix
rbeauregardlacroix at gmail.com
Mon May 18 20:23:42 EEST 2020
Hi all
So things are taken care of with Robhost without any issues. I'll be in
touch with Josh for the logistics of the transfer and keep you in the loop.
Best,
On Thu, May 14, 2020 at 7:15 PM Raphael Beauregard-Lacroix <
rbeauregardlacroix at gmail.com> wrote:
> Hi all
>
> So it turns out that the hosting provider used by Wapix (Linode LLC) is
> GDPR compliant, at least to the extent that they are part of Privacy
> Shield. I have plenty of reservations about the scheme from an academic
> perspective, but as far as positive law goes I guess that still flies.
>
> So if I don't have any further comments/oppositions within the next 24h I
> will reach out tomorrow to Robhost to request the termination.
>
> Have a nice evening,
>
> On Wed, May 13, 2020 at 10:25 PM Raphael Beauregard-Lacroix <
> rbeauregardlacroix at gmail.com> wrote:
>
>> Hi all
>>
>> I've gotten a reply from Josh, I'll just have to look into it a bit more.
>> I was planning to do that yesterday but things have been pretty hectic at
>> home. I should be back to you tomorrow with a clearer course of action.
>>
>> Have a nice evening,
>>
>> On Sat, May 9, 2020 at 12:45 PM Raphael Beauregard-Lacroix <
>> rbeauregardlacroix at gmail.com> wrote:
>>
>>> Hi Steph
>>>
>>> To be more specific (and succinct), I don't read us in any of the
>>> exceptions of Art 2.2. Hence what we do must be within the material scope;
>>> being unincorporated or otherwise "informal" does appear to change anything
>>> to me. And while the bowling league might arguably fall within the
>>> household exception, that exception is construed quite strictly by the CJEU
>>> and I honestly don't think we qualify. Mostly based on the fact that we are
>>> a "we" (albeit informal) and not just one guy keeping tabs on the bowling
>>> league folks in an excel sheet.
>>>
>>> As for Wapix I'd be surprised, but what I want to make sure of is that
>>> they do not "do" anything with the data on their own. If they simply take
>>> our orders, then they are confined to the role of processor. As long as
>>> Wapix does not plan or does not seek to interpose anything between the
>>> commitments we take and what they themselves do, then I think they do not
>>> have to be "compliant." But who knows - they might have some policy lying
>>> somewhere that says they will comply anyway. They might have European
>>> customers.
>>>
>>> To be clear, I don't think their compliance status matters so much, to
>>> the extent that they don't anything else with the data besides what we ask
>>> them to do for *our *purposes.
>>>
>>> Have a nice day,
>>>
>>>
>>>
>>> On Sat, May 9, 2020 at 12:04 PM Stephanie Perrin via NCSG-EC <
>>> ncsg-ec at lists.ncsg.is> wrote:
>>>
>>>>
>>>>
>>>>
>>>> -------- Forwarded Message --------
>>>> Subject: Re: [NCSG-EC] Termination with our current host, and GDPR
>>>> issues re transfer
>>>> Date: Sat, 9 May 2020 12:00:57 -0400
>>>> From: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
>>>> <stephanie.perrin at mail.utoronto.ca>
>>>> To: ncsg-ec at lists.ncsg.is
>>>>
>>>> I am so sorry we delayed on this, Raphael! My fault.
>>>>
>>>> I rather doubt that a Colorado IT firm is GDPR compliant. I also
>>>> rather doubt that it applies to NCSG as we are an informal association.
>>>> Not an NGO. So more like a bowling league or a bridge club (deliberately
>>>> selecting 50's era clubs). But if you think belonging to NCSG is a covered
>>>> activity, fire away, I am interested in the legal reasoning. (this opinion
>>>> of course by means reflects my concerns about our privacy policies, as yet
>>>> not form
>>>> On 2020-05-09 11:46 a.m., Raphael Beauregard-Lacroix via NCSG-EC wrote:
>>>>
>>>> Hi all
>>>>
>>>> So it is possible to terminate with Robhost. The next bill (for 12
>>>> months) is due on June 17th. The ToS posted on their wesbite mention that
>>>> we can terminate by the end of the ongoing billing term, subject to notice
>>>> period (unspecified). Now presuming German law governs, that would be six
>>>> weeks. Now if you count, that means we'd be too late already.
>>>>
>>>> In addition, Tapani has raised an issue regarding the GDPR-compliant
>>>> character of such a Germany-US data transfer. After a few hours (re)reading
>>>> the GDPR and looking into this, it appears to me that we NCSG as the
>>>> 'controller' have to bind ourselves to provide our (EU, at least) members
>>>> with their GDPR rights, wherever the data may be. Given that we can do
>>>> that, there is no requirement for individualized consent by each member.
>>>>
>>>> That brings up another issue which is that of Wapix as a processor
>>>> (i.e. we call the shots and they execute). They have been, and will
>>>> continue to be. Yet they do have to abide by the GDPR when it comes to
>>>> their role as a processor of personal data of EU persons. In turn, as
>>>> controllers, we have to make sure they do. I do not know what their stance
>>>> is when it comes to GDPR compliance. Couldnt find anything on their
>>>> website; in any case I have inquired with them and they usually come back
>>>> quickly.
>>>>
>>>> So here's my plan:
>>>>
>>>> -Ensure that everything is GDPR-kosher on Wapix's side
>>>>
>>>> -Attempt to negotiate a termination with Robhost; hopefully we manage
>>>> to reach an alternative solution which does not involve paying a full 12
>>>> months
>>>>
>>>> -Make a post on the list regarding the transfer, reminding our members
>>>> of 1) who is controller, who is processor, and what kind of processing is
>>>> being done, for what purposes, etc. 2) reminding them of their rights and
>>>> 3) that the transfer will have no effect on these processings and purposes,
>>>> nor on their rights, and so that we will abide with any GDPR-bound request
>>>> by any member (and, for what it's worth, with any DPA request, although
>>>> honestly I hope we never get there. But who knows!)
>>>>
>>>>
>>>> Let me know of any comments, suggestions, issues, etc. And if you care
>>>> enough to have a more detailed legal reasoning as to what our obligations
>>>> are I'll happily provide.
>>>>
>>>> Have a nice day,
>>>>
>>>> _______________________________________________
>>>> NCSG-EC mailing listNCSG-EC at lists.ncsg.ishttps://lists.ncsg.is/mailman/listinfo/ncsg-ec
>>>>
>>>> _______________________________________________
>>>> NCSG-EC mailing list
>>>> NCSG-EC at lists.ncsg.is
>>>> https://lists.ncsg.is/mailman/listinfo/ncsg-ec
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-ec/attachments/20200518/64ef7b18/attachment.htm>
More information about the NCSG-EC
mailing list