[NCSG-EC] Fwd: Re: Termination with our current host, and GDPR issues re transfer
Stephanie E Perrin
stephanie at digitaldiscretion.ca
Tue May 19 03:30:29 EEST 2020
Wonderful, and thanks so much for doing this Raphael!
Stephanie
On 2020-05-18 1:23 p.m., Raphael Beauregard-Lacroix wrote:
> Hi all
>
> So things are taken care of with Robhost without any issues. I'll be
> in touch with Josh for the logistics of the transfer and keep you in
> the loop.
>
> Best,
>
> On Thu, May 14, 2020 at 7:15 PM Raphael Beauregard-Lacroix
> <rbeauregardlacroix at gmail.com <mailto:rbeauregardlacroix at gmail.com>>
> wrote:
>
> Hi all
>
> So it turns out that the hosting provider used by Wapix (Linode
> LLC) is GDPR compliant, at least to the extent that they are part
> of Privacy Shield. I have plenty of reservations about the scheme
> from an academic perspective, but as far as positive law goes I
> guess that still flies.
>
> So if I don't have any further comments/oppositions within the
> next 24h I will reach out tomorrow to Robhost to request the
> termination.
>
> Have a nice evening,
>
> On Wed, May 13, 2020 at 10:25 PM Raphael Beauregard-Lacroix
> <rbeauregardlacroix at gmail.com
> <mailto:rbeauregardlacroix at gmail.com>> wrote:
>
> Hi all
>
> I've gotten a reply from Josh, I'll just have to look into it
> a bit more. I was planning to do that yesterday but things
> have been pretty hectic at home. I should be back to you
> tomorrow with a clearer course of action.
>
> Have a nice evening,
>
> On Sat, May 9, 2020 at 12:45 PM Raphael Beauregard-Lacroix
> <rbeauregardlacroix at gmail.com
> <mailto:rbeauregardlacroix at gmail.com>> wrote:
>
> Hi Steph
>
> To be more specific (and succinct), I don't read us in any
> of the exceptions of Art 2.2. Hence what we do must be
> within the material scope; being unincorporated or
> otherwise "informal" does appear to change anything to me.
> And while the bowling league might arguably fall within
> the household exception, that exception is construed quite
> strictly by the CJEU and I honestly don't think we
> qualify. Mostly based on the fact that we are a "we"
> (albeit informal) and not just one guy keeping tabs on the
> bowling league folks in an excel sheet.
>
> As for Wapix I'd be surprised, but what I want to make
> sure of is that they do not "do" anything with the data on
> their own. If they simply take our orders, then they are
> confined to the role of processor. As long as Wapix does
> not plan or does not seek to interpose anything between
> the commitments we take and what they themselves do, then
> I think they do not have to be "compliant." But who knows
> - they might have some policy lying somewhere that says
> they will comply anyway. They might have European customers.
>
> To be clear, I don't think their compliance status matters
> so much, to the extent that they don't anything else with
> the data besides what we ask them to do for /our /purposes.
>
> Have a nice day,
>
>
>
> On Sat, May 9, 2020 at 12:04 PM Stephanie Perrin via
> NCSG-EC <ncsg-ec at lists.ncsg.is
> <mailto:ncsg-ec at lists.ncsg.is>> wrote:
>
>
>
>
> -------- Forwarded Message --------
> Subject: Re: [NCSG-EC] Termination with our current
> host, and GDPR issues re transfer
> Date: Sat, 9 May 2020 12:00:57 -0400
> From: Stephanie Perrin
> <stephanie.perrin at mail.utoronto.ca>
> <mailto:stephanie.perrin at mail.utoronto.ca>
> To: ncsg-ec at lists.ncsg.is <mailto:ncsg-ec at lists.ncsg.is>
>
>
>
> I am so sorry we delayed on this, Raphael! My fault.
>
> I rather doubt that a Colorado IT firm is GDPR
> compliant. I also rather doubt that it applies to
> NCSG as we are an informal association. Not an NGO.
> So more like a bowling league or a bridge club
> (deliberately selecting 50's era clubs). But if you
> think belonging to NCSG is a covered activity, fire
> away, I am interested in the legal reasoning. (this
> opinion of course by means reflects my concerns about
> our privacy policies, as yet not form
>
> On 2020-05-09 11:46 a.m., Raphael Beauregard-Lacroix
> via NCSG-EC wrote:
>> Hi all
>>
>> So it is possible to terminate with Robhost. The next
>> bill (for 12 months) is due on June 17th. The ToS
>> posted on their wesbite mention that we can terminate
>> by the end of the ongoing billing term, subject to
>> notice period (unspecified). Now presuming German law
>> governs, that would be six weeks. Now if you count,
>> that means we'd be too late already.
>>
>> In addition, Tapani has raised an issue regarding the
>> GDPR-compliant character of such a Germany-US data
>> transfer. After a few hours (re)reading the GDPR and
>> looking into this, it appears to me that we NCSG as
>> the 'controller' have to bind ourselves to
>> provide our (EU, at least) members with their GDPR
>> rights, wherever the data may be. Given that we can
>> do that, there is no requirement for individualized
>> consent by each member.
>>
>> That brings up another issue which is that of Wapix
>> as a processor (i.e. we call the shots and they
>> execute). They have been, and will continue to be.
>> Yet they do have to abide by the GDPR when it comes
>> to their role as a processor of personal data of
>> EU persons. In turn, as controllers, we have to make
>> sure they do. I do not know what their stance is when
>> it comes to GDPR compliance. Couldnt find anything on
>> their website; in any case I have inquired with them
>> and they usually come back quickly.
>>
>> So here's my plan:
>>
>> -Ensure that everything is GDPR-kosher on Wapix's side
>>
>> -Attempt to negotiate a termination with Robhost;
>> hopefully we manage to reach an alternative solution
>> which does not involve paying a full 12 months
>>
>> -Make a post on the list regarding the transfer,
>> reminding our members of 1) who is controller, who is
>> processor, and what kind of processing is being done,
>> for what purposes, etc. 2) reminding them of their
>> rights and 3) that the transfer will have no effect
>> on these processings and purposes, nor on their
>> rights, and so that we will abide with any GDPR-bound
>> request by any member (and, for what it's worth, with
>> any DPA request, although honestly I hope we never
>> get there. But who knows!)
>>
>>
>> Let me know of any comments, suggestions, issues,
>> etc. And if you care enough to have a more detailed
>> legal reasoning as to what our obligations are I'll
>> happily provide.
>>
>> Have a nice day,
>>
>> _______________________________________________
>> NCSG-EC mailing list
>> NCSG-EC at lists.ncsg.is <mailto:NCSG-EC at lists.ncsg.is>
>> https://lists.ncsg.is/mailman/listinfo/ncsg-ec
> _______________________________________________
> NCSG-EC mailing list
> NCSG-EC at lists.ncsg.is <mailto:NCSG-EC at lists.ncsg.is>
> https://lists.ncsg.is/mailman/listinfo/ncsg-ec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-ec/attachments/20200518/a4a19de4/attachment.htm>
More information about the NCSG-EC
mailing list