(1) 'data subject'

means an identified natural person or a natural person    read more    it refers simply to a person as a human being   who can be identified    read more    pure possibility to identify a person ifs enough, it need not to be done  , directly or indirectly   read more    so in particular cross checking with other public data suffices  , by means reasonably likely to be used   read more    we are talking about the means that are either at hand or likely to be used. E.g. it is not likely that somebody will use multi-million dollar installation to learn just your shoe size.   by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier    read more    be very careful about these data as they easily can indicate a person (IMEA number of a phone does not identify a person, but the movements of the phone together with its reporting to the telecommunication system enables to learn the identity of the owner)   or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2) 'personal data'

means any information relating to a data subject    read more    just any data (also positive information) relating to a person that can be identified  ;

(3) 'processing'

means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction;

Conclusions

Article 5 Principles relating to personal data processing

Personal data must be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject;   read more   processing must be explicit to the person concerned  
2. collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;   read more   usage must be speciffied in advance  
3. adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;   read more   no extra processing: do what is necessary and NOTHING more  
4. accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;  read more    if you store personal data, then they must be kept correct!  
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;   read more    basically: remove all data as soon as not needed anymore  
6. processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.  read more   controller means an entity collecting and processing the data - and not the provider of data services acting on behalf of the controller. The controller is responsible and liable for disobeying the rules (civil and criminal law applies)  

Article 6 Lawfulness of processing

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
   1. the data subject has given consent to the processing of their personal data for one or more speciffc purposes;   read more   forbidden to process data with no consent. Difficult to check in a cloud...  
   2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;   read more   many parties may cooperate to create the cloud. Who has the contract with the data owner?  
   3. processing is necessary for compliance with a legal obligation to which the controller is subject;   read more   some processing might be obligatory  
   4. processing is necessary in order to protect the vital interests of the data subject;   read more    e.g. protection against account hijacking  
   5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;   read more   cloud provider might be forced by the authority to process data  
   6. processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.   read more   cloud provider has the right to search for illegal contents such a malicious code  

Article 7 Conditions for consent

1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes.   read more    legal information must accompany the workload data.  

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.   read more   the right to erase on demand data from the cloud -technically hardly feasible  

Article 11 Transparent information and communication

1. The controller shall have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights.   read more   obligations to implement user-friendly policies  
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.   read more   obligation to provide user-friendly explanations to the cloud users  

Article 17 Right to be forgotten and to erasure

1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, ... , where one of the following grounds applies:
   1. the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
   2. the data subject withdraws consent on which the processing is based ..., or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
   3. ...
   4. the processing of the data does not comply with this Regulation for other reasons.
     read more   
   hard legal problems what can be erased on demand, even controversies between EU countries
   hot example: comments about quality of medical service offered by doctors in private practice demands to erase negative comments  
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorized a third party publication of personal data, the controller shall be considered responsible for that publication.   read more    one has to make sure that any cloud partner erases data, too necessary legal contracts to guarantee implementation these obligations, especially if the data processing parties in USA are involved  

Article 26 Processor

1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing suffcient guarantees to implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.   read more   
   Practical consequences:
   • before signing a contract with a cloud provider we are obliged to check that the provider is trustworthy.
   • If anything goes wrong, we would be blamed anyway. So, a good contract is NOT ENOUGH.
   • But do we have any means to control the cloud provider?
     
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:
   1. act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;   read more   no extra features are allowed. Processing limited to speciffcation, even if the additional features are useful and in the interest of the cloud client. But the social networks operating in cloud offer many novelties!  
   2. employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;   read more    what about USA? the staff may be even obliged to pass the data to the authorities  
   4. enlist another processor only with the prior permission of the controller;   read more   by default no subcontractors - but in a cloud it is easy to fail this condition because of the technical reality  
   5. insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organizational requirements for the fulfilment of the controllers obligation ...;   read more   
      if possible follow the Common Criteria approach:
      1. identify threats, risks and obligations
      2. plan mechanisms that guarantee solving these problems,
      3. write the mechanisms into the contract
        
   8. make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.   read more   the compliance must be self-evident. The technical means employed must be in some sense "provable". Not many such solutions exist.  
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.   read more    everything must be written in order to enable verification  

Article 30 Security of processing

1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.   read more   security measures MUST be according to the newest state-of-the-art, but the level of security can be "appropriate". Note that law enforcement authorities may have a different view on what is "appropriate".  
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data.   read more   one has to prevent loosing the data in a cloud. Hard to be done: even checking that the data are accurate is nontrivial.  
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organizational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.   read more   technical requirements will be published by EU. They will be "technology neutral" but obligatory.  
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to:
   1. prevent any unauthorized access to personal data;
   2. prevent any unauthorized disclosure, reading, copying, modification, erasure or removal of personal data;
   3. ensure the verification of the lawfulness of processing operations.   read more   so a reliable authentication will be obligatory  

Article 31 Notiffication of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.   read more    now the common approach is to hide a breach in order to protect own business. But it will be obligatory to report the breach to the authorities.  

Article 39 Certiffication

1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided ...   read more   certification only voluntary  
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.   read more   however a big in uence of authorities on the certification process  
3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. ...   read more   standards will help to determine what should be done and how regarding cloud security However it is unclear what will be the standard as the technology is not mature  

Article 40 General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization.   read more   Data transfer to cloud installations in USA is possible only if these services adhere to the EU law. But in some cases this might be very difficult.  

• many restrictions on processing when personal data concerned
• almost everything is "personal data"
• the rules are more related to traditional processing than to cloud technology - many problems result from this approach
• severe problems with data traffc between EU and USA duties and responsibility concentrated around the organization collecting and managing the data higher rather than around the provider of strictly technical services
• in case of security breaches the authorities and the data owner have to be informed   read more   think about this in a contract as well  
• the right to be forgotten: a person may request to erase data about him (also the copies created elsewhere)
• unclear how and what can be erased on request