Márton Domokos writes for “The Privacy Advisor” that On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.
The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.
Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.
Read the whole text HERE.
Posted in News
Tagged cloud computing, cloud computing technologies, data classification, data protection, financial institutions in the cloud, HFSA, Hungarian Data Protection Agency, Márton Domokos, personal data, personal data protection, privacy, privacy in the cloud, the cloud, the right to privacy
DNA is considered private data and its retention is protected by some of the privacy and data protection laws
I found a very interesting piece of information on Proskauer privacylaw blog regarding a recent decision of the Massachusettes Appeal Court, which found that police cannot keep DNA samples beyond the limitations promised to an individual.
The decision was given in Amato v. District Attorney on 25 August.
The case arose out of the voluntary collection of plaintiff’s DNA in connection with a 2002 murder investigation. The plaintiff challenged the crime lab’s retention of private individuals’ DNA samples despite representations that any samples and related records “would be destroyed and would not become part of any State or Federal database” if they did not match DNA evidence taken at the crime scene. According to the plaintiff, notwithstanding the successful prosecution of the man responsible for the murder, the state’s crime lab refused to destroy his and other DNA samples in its possession despite his repeated requests.
The trial court dismissed the charges. But the Appeal Court found that police was in breach of privacy law, in particular the state’s Fair Information Practices Act.
“[g]iven the circumstances under which the defendants induced [the plaintiff] and the others to allow access to this intensely private information [i.e., their DNA], including the promises of limited use and retention and the concomitantly restricted scope of consent granted, we are not convinced that the defendants have acted reasonably as matter of law.”
The Court also found that: retention of highly sensitive DNA records without consent and making them available for nonconsensual use in other criminal investigations are sufficient to constitute an unreasonable, substantial, and serious interference with an individual’s privacy.
- You can find the whole decision HERE