Initial Customer Communications
The European Union Directive page on the Lumen Compliance is an excellent starting point to gain information. As well, the CAIQ crosswalk can be downloaded on the CSA STAR page for initial identification with regards to how Lumen Cloud answers specifically to the 95/46/EC - European Union Data Protection Directive.
What is the Lumen European Union Appendix 2
Lumen has implemented, and will maintain during the Term, an information security program (the “Program”) that includes reasonable measures designed to:
Secure the confidentiality and integrity of Exporter Data.
Protect against foreseeable threats to the security or integrity of Exporter Data to the extent related to the Services and Lumen Infrastructure.
Protect against unauthorized access to, disclosure of, or use of Exporter Data.
Ensure that Lumen employees are aware of the need to maintain the confidentiality, integrity, and security of Exporter Data.
Governance and Scope of Appendix Products
Lumen’s technical and organizational security measures apply to standard services that may involve the processing of personal data as part of the Exporter Data including: colocation, managed hosting, cloud hosting, connectivity, and other processing services provided at Lumen data centers.
Location of Contract and Appendix
European Union Only-Contractual Clauses can be downloaded from the European Commission site. Lumen is able to sign Standard Contractual Clauses with customers following a review process. Once the review is complete, Lumen can sign the Clauses using the standard Appendix 2, which includes the security measures Lumen has in place to protect data.
Contact your Sales or Pricing and Offer Management (POM) representative for additional information.
European Union/European Economic Area (EEA) Glossary
A Controller is the natural or legal person, public authority, agency, or any other body, which alone or jointly determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, a Controller or the specific criteria for his/her nomination may be designated by national or Community law.
Article 2(d) of the Data Protection Directive: Being a controller carries with it serious legal responsibilities, so an organization that processes personal data should be explicitly clear if these responsibilities apply to it.
In practice, to find out who controls the contents and use of retained personal information, an organization should acknowledge the following considerations:
- Who/What decides what personal information is retained?
- Who/What decides the use(s) and purpose(s) of the information?
- Who/What decides on the means of processing of personal data?
If that organization controls and is responsible for the personal data that it holds, then it is a Controller. In some instances it is likely that these decisions are made in conjunction with other organizations, in which case all involved organizations will be co-Controllers. If, on the other hand, an organization retains the personal data, but another organization decides on and is responsible for what happens to the data and the first organization acts under the instruction of the other organization, then that other organization is the Controller, and the first one is a “Processor”.
An identified or identifiable person to whom the personal data relates. An identifiable person is one whom can be identified, directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Article 2(a) of the Data Protection Directive see Opinion No 4/2007 on the concept of personal data issued by the Article 29 Working Party (WP 136).
European Union and European Economic Area countries
The area set-up by the European Economic Area (EEA) agreement is comprised of the 27 Member States of the European Union and the three countries of European Free Trade Association (EFTA) that are bound by the Agreement on the European Economic Area (EEA). The 27 Member States are: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The three EFTA countries that are also bound by the Data Protection Directive, through being part of the EEA, are Iceland, Liechtenstein and Norway. Switzerland is a member of EFTA but is not part of the EEA and is therefore, not bound by the Data Protection Directive, but has “third country” status. Switzerland has been considered to be a third country, offering an adequate level of protection in accordance with Article 25 of the Directive (see: List of Adequate Countries).
List of Countries Covered by a Commission Adequacy Finding Decision
The list of countries considered as offering an adequate level of protection in accordance with Article 25 of the Data Protection Directive:
On the one hand, the European Commission has the power to make determinations of adequacy that are binding on EU (and EEA) Member States. Positive determinations of adequacy have hitherto been made for Switzerland, Canada, with regards to transfers made to recipients subject to the Canadian Personal Information Protection and Electronic Documents Act; Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and the Safe Harbor Privacy Principles of the United States Department of Commerce.
In addition, Member States may also assess the adequacy of third countries. This assessment will be made in the light of all the circumstances surrounding a data transfer. The law of the Member State may establish rules determining whether the protection afforded by a third country is adequate. Therefore, [Data] Controllers should check with their National Data Protection Authority to discern whether additional third countries, specific data transfer operations, or sets of data transfer operations to third countries are considered adequate according to their National Data Protection legislation.
National Data Protection Authority
The National Data Protection Authority is an independent, public authority responsible for monitoring the application of data protection law within its territory. Each national authority should be endowed with:
Investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all necessary information for the performance of its supervisory duties;
Effective powers of intervention, such as the delivering opinions before processing operations are carried out and ensuring appropriate publication of such opinions; of ordering the blocking, erasure or destruction of data; of imposing a temporary or definitive ban on processing; of warning or admonishing the Controller, or that of referring the matter to national parliaments or other political institutions;
The power to engage in legal proceedings where the national provisions have been violated or to bring these violations to the attention of the judicial authorities;
Jurisdiction to hear claims lodged by any person, or by an association representing that person, concerning the protection of his/her rights and freedoms with regard to the processing of personal data. For a list of the Member States’ national data protection authorities and their contact details.
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Article 2(a) of the Data.
Personal Data Filing System (“filing system”)
A personal data filing system (filing system) is any structured set of personal data that are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. Article 2(c) of the Data Protection Directive.
Processing of personal data
Processing of personal data means any operation or set of operations that is performed on personal data, whether or not by automatic means, such as: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Article 2(b) of the Data Protection Directive.
The Processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive. If an organization holds or processes personal data, but does not exercise responsibility for, or control over the personal data, then this organization is a “Processor”.
Examples of Processors include: payroll companies, accountants and market research companies, call centers of telecom or financial companies, all of which could hold or process personal information on behalf of someone else.
It is possible for one company or person to be both a Controller and a Processor, in respect of distinct sets of personal data. For example, a payroll company would be the Controller in respect of the data about its own staff, but would be the Processor in respect of the staff payroll data it is processing for its client companies.
A Processor is distinct from the Controller for whom he/she is processing the personal data. An employee of a Controller, or a section or unit within a company that is processing personal data for the company as a whole, is not a “processor”. However, someone who is not employed by the Controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a Processor. A subsidiary company owned by a Controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a Processor.
This definition is meant to be broad. The principles of protection must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the Controller or by any other person to identify said person. Some examples of “personal data” include: personal residence address, credit card number(s), bank statement(s). See Opinion No 4/2007 on the concept of personal data issued by the Article 29 Working Party (WP 136).
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life, and data relating to offenses, criminal convictions or security measures. Article 8 of the Data Protection Directive
Standard Contractual Clauses
The Commission has the power to decide that certain standard contractual clauses offer sufficient safeguards as required by Article 26(2); that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.
By incorporating the standard contractual clauses into a contract, personal data can flow from a Controller established in any of the 27 EU Member States and three EEA member countries to a Controller established in a country not ensuring an adequate level of data protection. Except in very specific circumstances, National Data Protection Authorities cannot block such transfer.
Two sets of standard contractual clauses have been adopted for transfers between data controllers, and one set exists for transfers between a Controller and a Processor. Refer to FAQs on such standard contractual clauses for more information and information on the use of non-standard contractual clauses.
Any country other than the European Union and European Economic Area Member States. Article 29.
Any natural or legal person, public authority, agency or any other body other than the data subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. Article 2(f) of the Data Protection Directive.
The Working Party on the Protection of Individuals with regards to the Processing of Personal Data is one of the entities responsible for interpreting the provisions of the Data Protection Directive. The Working Party carries out this task by issuing recommendations, opinions and working documents on different aspects of the Data Protection Directive. The Article 29 Working Party is composed of representatives of the National Data Protection Authorities of the EU Member States, representatives of the European Data Protection Supervisor and representatives of the European Commission.
Working Paper 12 (WP 12)
Working Paper 12 (WP 12) is a working document issued by the Article 29 Working Party on “Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive”. This document covers the central questions raised by the flow of personal data to third countries in the context of the application of Directive 95/46/EC. Additionally, WP 12 defines the core criteria that Article 29 Working Party believes third countries should fulfill to provide an adequate level of protection for personal data.