Resolutions, opinions and reports search tool

The contract examined of order of the treatment for the starting of a platform of civic participation can adapt to the regulations of data protection if the considerations made the relative ones in the judgement, especially, are taken into account to the need to specify the safety measures to implement for the person in charge and the fate of the data linked to the provision of the service, as well as of informing the users of the aspects related to the treatment of its data, especially, regarding the foreseen publication. It corresponds to the town council to keep vigil so that the international transfers from data that can take place adapt to the regulations of data protection.

The Decision of the Commission of 5 February 2010 taking into account, the Resolution of the AEPD of 9 May of 2014, as well as the adhesion of Microsoft to the Shield of Privacy, can be considered that the contract of order of the treatment that could subscribe the University with Microsoft in relation to the services "Microsoft 365" and "Microsoft Azure", it would be in principle fitting to the demands of the regulations of data protection (LOPD, RLOPD and RGPD). Regarding the technical and organizational safety measures to guarantee the security of the data, can be considered that "Microsoft 365" and "Microsoft Azure" can be the forecasts of Microsoft in relation to the services, a priori, suitable for what he foresees the regulations of data protection taking into account that the implantation of the foreseen measures is an object of certification and auditing on the part of one third independent.

The public administrations have to check that the third lenders of services and of systems of communication fulfill their responsibilities, it is already as persons in charge of the treatment or, if it is proper, as responsibles for the treatment of the data of the users (in the case of the SMI), since the treatment is subjected to the demands of the principles and guarantees of the European regulations of the protection of data (LOPD, RLOPD, and RGPD). When they consider the choice of a determinate system of instant messaging (SMI) they should take the purpose of the communication, the personal information which it is necessary to treat, into account, especially; the consent of the affected ones; the model of security and the evaluation of impact and the concrete applied safety measures; the mechanisms of certification; the international transfers from data and the location of the servers; the law of information and the transparency, in attention to the forecasts of the European regulations of protection of data.

The adhesion of the companies Google and Microsoft to the agreement "U.S.-E.U. Safe Harbor" presupposes, to date of today, that the particulars sent by the entity by virtue of the recruitment of the services Google Apps for Business or Microsoft Office 365 will be treated with determinate guarantees and conditions of security. Particularly, this treatment will stay in the case of the Microsoft company fully guaranteed, once the Resolution TI/00032/2014 of the Spanish Agency of Protection of Data has been attended to. However, it will be necessary to have present that the foreseen performances in the respective conditions of use of these services, especially of Google Apps for Business, they can exceed the main purpose for which the entity would entrust the treatment of the data. Likewise, in order to consider the safety measures suitable global implemented in these services, it will be necessary carry to term the foreseen auditing to the regulations of data protection. For what it makes, specifically, to the use of the service of electronic mail, this does not show additional risks for the security of the information whenever the recommendations made about this are adopted.

The risks that the use of the services "Google Drive", "Microsoft Onedrive" and "Dropbox" for the lawyer means that it decides to store relative documentation there to its customers they would be related, with the functioning typical of these services, as well as with the different applications and platforms that allow the access and the management of the stored archives. The adhesion of the supplier companies of these services to the beginning of the agreement Safe Harbor presupposes, to date of today, that the particulars stored by the lawyer will be handled with determinate guarantees and conditions of security, even though it could be insufficient. Likewise, to have the certification ISO/IEC/27001, or any other certification or international standard on the subject of security, it is not a sufficient guarantee of the fulfillment of the safety measures of the RLOPD. It would be necessary to the regulations of data protection to accompany it from the foreseen auditing.

The recruitment of the services Google Apps for Business for a local council requires the realization d’una previous analysis of the risks that for the security and integrity of the personal information its treatment can entail in environments that work in the “núvol”. In the measure that Google Ireland Limited makes a data processing on account of the responsible, the recruitment of its services requires, d’entrada, the signature d’un contract d’encarregat of the treatment. However, the conditions in which subjects itself the service Google Apps for Business attended to, l’existència d’aquest contract d’encarregat so that it uses does not presuppose that the treatment of the data for Google Ireland Limited is carried to term always with all the guarantees required by the Spanish regulations of protection of data of personal character.