Jump to Navigation

 

8.1 [DETAILS] List of Obligations

The following list of obligations was extracted from the WP B-3 MSB-3.1 report [49]. We point to that report for a full list of those obligations that provides extended details, including legal perspectives.

The following is a list of obligations from the regulatory perspective (Data Protection Directive), to which Cloud actors must adhere: 

  • Obligation 1: informing about processing. Data subjects have the right to know that their personal data is being processed.
  • Obligation 2: informing about purpose. Data subjects also have the right to know why their personal data is being processed.
  • Obligation 3: informing about recipients. Data subjects have the right to know who will process their personal data.
  • Obligation 4: informing about rights. Data subjects have the right to know their rights in relation to the processing of their personal data.
  • Obligation 5: data collection purposes. Personal data must be collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
  • Obligation 6: the right to access, correct and delete personal data. Data subjects have the right to access, correct and delete personal data that have been collected about them.
  • Obligation 7: data storage period. Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which they were collected.
  • Obligation 8: security and privacy measures. Controllers are responsible to the data subjects for the implementation of appropriate technical and organizational security measures.
  • Obligation 9: rules for data processing by provider. Controllers are accountable to data subjects for how sub-providers process their personal data.
  • Obligation 10: rules for data processing by sub-providers. The controller must also ensure that all sub-providers involved in the service delivery chain do not process the personal data, except on the controller's instructions (unless they are required to do so by law).
  • Obligation 11: provider safeguards. Controllers are accountable to data subjects for choosing data processors that can provide sufficient safeguards concerning technical security and organizational measures.
  • Obligation 12: sub-provider safeguards. The previous obligation comprises all processors in a service delivery chain.
  • Obligation 13: informed consent to processing. Controllers are accountable to the data subjects for obtaining informed consent before collecting personal data.
  • Obligation 14: explicit consent to processing. Controllers are accountable to the data subjects for obtaining explicit consent before collecting sensitive personal data.
  • Obligation 15: explicit consent to processing by joint controllers. Controllers are accountable to the data subjects for obtaining explicit consent before allowing joint data controllers to process their sensitive personal data.
  • Obligation 16: informing DPAs. Controllers are accountable to the data protection authorities to inform that they collect personal data.
  • Obligation 17: informing about the use of sub-processors. Processors are accountable to the controllers for informing about the use of sub-providers to process personal data.
  • Obligation 18: security breach notification. Controllers are accountable to data subjects for notifying them of security incidents that are related to their personal data.
  • Obligation 19: evidence of data processing. Processors are accountable to the controllers for, upon request, providing evidence on their data processing practices.
  • Obligation 20: evidence of data deletion. Processors are accountable to the controllers for, upon request, providing evidence on the correct and timely deletion of personal data.
  • Obligation 21: data location. Data controllers are accountable to the data subjects for the location of the processing of their personal data.