Avv. Gian Marco Rinaldi
Avv. Debora Stella
Bird & Bird Italy
27 May2016
SLALOM - Ready to Use Cloud
Master Agreement for S...
2
Introduction
 Bird & Bird:
• an international legal practice with over 1,200 lawyers and legal practitioners worldwide
...
3
Purpose of Slalom
 SLALOM aims at creating a set of cloud computing terms and conditions
covering all aspects of the re...
Avv. Gian Marco Rinaldi
Main SLALOM Contractual Issues
5
Structure of the CSA
• The Cloud Service Agreement or CSA is the main document
setting out the terms and conditions of t...
6
Contents of the CSA
The CSA includes clauses relating to:
1) Service Levels
2) Variation of the services
3) Obligations ...
7
Deliverable 2.1
General description of the section
This provision describes […]
Standard clauses used in the market
The ...
Clauses to discuss
Today we will particularly discuss the following clauses:
1) Service Levels – Service Credits
2) Variat...
Service Level – Service Credits
• The CSA provides a section (Section 3) establishing that the Services have
to be provide...
Variation of the services
• Section 4 of the CSA set forth that Provider will be entitled to change
the services provided ...
Intellectual Property Rights
• In cloud computing agreement we need to consider three main
points relating intellectual pr...
12
Liability
• The CSA (Section 12.2) set forth that the Parties may provide a cap.
Such cap, according to European legisl...
13
• The Provider shall not delete the then existing Adopter Data until
the Retrieval Period or the Transfer Period under ...
Avv. Debora Stella
Data Protection in SLALOM
Approach
15
• One clause in the main body of the CSA to address the essential
elements ruling on the processing of personal data in...
Adopter (controller)
 to set up main formal
compliance actions (e.g.
notices, consents, DPA
requirements)
 to give lawfu...
17
Comprehensive description of data protection requirements of
the Services, including:
 What are the types of data unde...
How to Practically Apply SLALOM
Legal Terms in Your SLAs
19
Service Level Agreement
Section 3 - Service levels
3.1 The Provider shall provide the Services in accordance with the S...
20
3.4 Within [to be inserted] ([to be inserted]) days after the end of
each month during the Term of the Cloud Service Ag...
21
ALTERNATIVE - 3.4
3.4 The Adopter shall be entitled to remotely monitor the
ongoing performance of the Services having ...
22
Section 7 - Service credits
7.1 If at any time the Provider fails to meet any Service Level
Objectives, the Provider sh...
23
Section 7: Service credits
7.3 The payment of the Service Credits under the above Section 7.1
states Provider's sole an...
24
Adopter's preliminary actions (main) – get a clear picture
• What type of data will be processed under the Services? Ar...
25
Adopter's preliminary actions (main) – get a clear picture (2)
• Ask for (and understand) details of the data processin...
26
Provider's preliminary actions (main)
• Be clear on the data processing operations under the Services
(what operations ...
27
Provider's preliminary actions (2)
• Consider getting approved Certifications and/or adhering to
approved Codes of Cond...
28
• Adapt Attachment 5 to the specificities of the Service(s) under
the CSA:
o 4.1 (a) details of categories of personal ...
29
Any questions ?
Should you have any question,
please ask or feel free to email
your questions to:
- daniel.field@atos.n...
30
SLALOM is a CSA financed by European
Commission under Grant agreement 644270
For more information on the initiative con...
Upcoming SlideShare
Loading in …5
×

SLALOM Webinar Final Legal Outcomes Explanined "Using the SLALOM Contract Service Agreement Model in your #Cloud #SLA" v1Legal slalom legal webinar 27 may 2016

109 views

Published on

SLALOM organized two live sessions to present the final versions of our legal terms and technical specifications for #Cloud #SLAs. The sessions provide examples showing how to practically apply SLALOM to improve current practice in the industry for # Cloud #SLAs and support development of cloud computing metrics.
The second webinar covered SLALOM legal track, "Ready to Use Cloud Master Agreement for SLAs". You can now have access to the slides used in the legal webinar here.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
109
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SLALOM Webinar Final Legal Outcomes Explanined "Using the SLALOM Contract Service Agreement Model in your #Cloud #SLA" v1Legal slalom legal webinar 27 may 2016

  1. 1. Avv. Gian Marco Rinaldi Avv. Debora Stella Bird & Bird Italy 27 May2016 SLALOM - Ready to Use Cloud Master Agreement for SLAs
  2. 2. 2 Introduction  Bird & Bird: • an international legal practice with over 1,200 lawyers and legal practitioners worldwide • leading-edge expertise across a full range of legal services (intellectual property, information technology, commercial corporate, EU and competition, dispute resolution, employment, finance, real estate and tax) • 27 offices in Europe, Middle East, Asia and Australia • 150 lawyers in the Tech&Comm international group • Specialists in cross-border and multi-jurisdictional work  Gian Marco Rinaldi (gianmarco.rinaldi@twobirds.com): • A senior associate lawyer of Bird & Bird Italy focussing on information technology, cloud computing, software licensing, copyright, e-commerce, big data, agile development, electronic signatures  Debora Stella (debora.stella@twobirds.com): • A senior associate lawyer of Bird & Bird Italy with 20 year of expertise on data protection and IT law. *** • We are currently working also on the CoCo-Cloud project, http://www.coco-cloud.eu/
  3. 3. 3 Purpose of Slalom  SLALOM aims at creating a set of cloud computing terms and conditions covering all aspects of the relationship between a Provider and an Adopter of cloud computing services  In our work on Deliverable 2.1 we have analyzed the provisions that are generally included in an agreement for cloud services setting out the possible different interests, positions and perspectives of the two parties involved  We drafted the contractual provisions of the proposed SLALOM model CSA taking into consideration the main legislations and regulations applicable to the relevant provisions in Italy, Germany, the UK, France and Greece (excluding industry sector legislations that may be concerned)
  4. 4. Avv. Gian Marco Rinaldi Main SLALOM Contractual Issues
  5. 5. 5 Structure of the CSA • The Cloud Service Agreement or CSA is the main document setting out the terms and conditions of the contractual relationship between the Provider and the Adopter in relation to the provision of cloud services • The CSA provides the following attachments: – Attachment 1: Services Description – Attachment 2: Service Level Agreement – Attachment 3: Acceptable Use Policy – Attachment 4: Consideration – Attachment 5: Data Protection – Attachment 6: Security
  6. 6. 6 Contents of the CSA The CSA includes clauses relating to: 1) Service Levels 2) Variation of the services 3) Obligations of the Adopter 4) Charges 5) Service Credits 6) Intellectual Property 7) Termination and consequences of termination 8) Confidentiality Obligations 9) Liability 10) Subcontracting 11) Data Protection 12) Governing Law and Jurisdiction
  7. 7. 7 Deliverable 2.1 General description of the section This provision describes […] Standard clauses used in the market The cloud computing agreements of some Providers […] Provider’s perspective Adopter’s perspective The Provider could prefer […] For the Adopter it is important that […] Position proposed by SLALOM The main obligation of the Provider […] SLALOM proposed text 2.1 The Provider shall […] 2.2 The Adopter shall […]
  8. 8. Clauses to discuss Today we will particularly discuss the following clauses: 1) Service Levels – Service Credits 2) Variation of the services 3) Intellectual Property 4) Liability 5) Termination and consequences of termination 6) Data Protection
  9. 9. Service Level – Service Credits • The CSA provides a section (Section 3) establishing that the Services have to be provided in accordance with certain Service Levels • The section refers to Attachment 3 (Service Level Agreement) detailingthe Service Levels and the Service Level Objectives to be fullfilled by the Providers • Section 7 provides that, if the Provider fails to meet any Service Level Objectives, the Provider shall pay the Service Credits defined in the Attachment 3 to the CSA • We have two alternatives: a) the payment of the Service Credits states the Provider’s sole and entire obligations and liability b) the payment of the Service Credits shall not limit the Adopter’s right to claim compensation for any further damage and any other rights and remedies for the Provider’s failure to meet the service levels
  10. 10. Variation of the services • Section 4 of the CSA set forth that Provider will be entitled to change the services provided that such changes do not determine in any way a reduction of the functionalities or characteristics of the services as they were offered at the effective date of the agreement. • If the Provider wishes to reduce the functionalities and characteristics of the services, such changes need to be approved in writing. • Exception for a) Improvements due to bugs, defects, malfunctioning b) and in case of new laws, regulations acts or orders of the authorities which require changes to the Services. In all these cases, however, if the changes provoke a reduction of the functionalities or characteristics of the Services, the parties must agree a fair and proportionate reduction of the due charges.
  11. 11. Intellectual Property Rights • In cloud computing agreement we need to consider three main points relating intellectual property issues: a) Intellectual property rights of the Provider b) Intellectual property rights of the Adopter c) Intellectual property rights of third parties providing applications on the platform of the Provider and possible connected development activities d) Intellectual property rights of third parties owning right on Adopter’s data • Background rights of the Parties • Warranties and representation on third-party contents
  12. 12. 12 Liability • The CSA (Section 12.2) set forth that the Parties may provide a cap. Such cap, according to European legislation on consumers, will be not applicable to consumers • The cap is not applicable in case of i) willful misconduct of either parties; ii) deceit, theft, fraud or fraudulent misrepresentation by the Party or (their subcontractors); iii) death or personal injuries; iv) intellectual property obligations; v) breach of confidentiality obligations • Service Credits may be taken or not taken (two possible alternatives) into account when assessing if the cap has been met or exceeded
  13. 13. 13 • The Provider shall not delete the then existing Adopter Data until the Retrieval Period or the Transfer Period under have expired • The Adopter shall be entitled to retrieve the Adopter Data stored on the System in a structured and widely-used format, capable of ensuring portability of the Adopter Data, for a period of x days after the expiration or termination date (hereinafter, "Retrieval Period") • Upon request of the Adopter, and at its expenses, the Provider shall transfer the data to the Adopter or to any third party provided by the Adopter within an agreed timing (“Transfer Period”) • Once the Retrieval Period and the Transfer Period are expired, the Provider shall destroy the data Consequences of termination or expiration
  14. 14. Avv. Debora Stella Data Protection in SLALOM Approach
  15. 15. 15 • One clause in the main body of the CSA to address the essential elements ruling on the processing of personal data in the Services AND • A detailed attachment to provide specific rules on obligations of the parties in relation to the processing of personal data The proposed model is built also on the obligations contained in the recently approved General Data Protection Regulation (i.e. more stringent rules, including accountability, and direct obligations for data processors) Protection of Personal Data
  16. 16. Adopter (controller)  to set up main formal compliance actions (e.g. notices, consents, DPA requirements)  to give lawful directions/instructions to the Provider (Attachment 5) Provider (processor)  to comply with the Adopter's instructions  to implement measures for the processing to meet the legal requirements  to make available a security-monitoring-tool 16 • Clear definition of the roles of the parties based on one of the most common scheme • How their responsibilities and liabilities are shared Main obligations on processing of personal data
  17. 17. 17 Comprehensive description of data protection requirements of the Services, including:  What are the types of data under the Service, who they refer to, and where data they are stored/available  Restriction on secondary use of data (purpose limitation and staff restriction on access)  Provider's disclosure obligation on law enforcement obligations  Provider's cooperation duties  Clear conditions for subcontracting  Transfer of data under specified instrument (e.g. SCC C2P)  Security requirements (to match with other sections of CSA)  Reporting duties and certification/codes of conducts adhere  Data portability and deletion Data Processing Addendum
  18. 18. How to Practically Apply SLALOM Legal Terms in Your SLAs
  19. 19. 19 Service Level Agreement Section 3 - Service levels 3.1 The Provider shall provide the Services in accordance with the Service Levels under Attachment 2 to this Cloud Service Agreement. 3.2 Where the Provider fails to fulfil the Service Level Objectives during the Term of the Cloud Service Agreement, Section 7 below shall apply. 3.3 Without prejudice to any possible rights, remedies and/or actions of the Adopter in accordance with applicable law or this Cloud Service Agreement, the Provider shall inform the Adopter, as soon as reasonably practicable, of any anticipated failure to meet any Service Level Objective and of the steps that the Provider will take (or has already taken) to prevent the failure from occurring.
  20. 20. 20 3.4 Within [to be inserted] ([to be inserted]) days after the end of each month during the Term of the Cloud Service Agreement, the Provider shall provide or make available to the Adopter a Report including the following information: a) applicable Service Levels; b) Service Levels Objective accomplished; c) Service Levels Objective not-accomplished; d) application of possible Service Credits, in accordance with Section 7.1 of this Cloud Service Agreement. Service Level Agreement
  21. 21. 21 ALTERNATIVE - 3.4 3.4 The Adopter shall be entitled to remotely monitor the ongoing performance of the Services having the rights to access, on a continuous basis, a Report providing the following information: a) applicable Service Levels; b) Service Levels Objective accomplished; c) Service Levels Objective not-accomplished; d) application of possible Service Credits, in accordance with Section 7.1 of this Cloud Service Agreement]. Service Level Agreement
  22. 22. 22 Section 7 - Service credits 7.1 If at any time the Provider fails to meet any Service Level Objectives, the Provider shall pay the Adopter the appropriate Service Credits in accordance with the following Sections 7.2 and 7.3. 7.2 The amount of any Service Credits payable under above Section 7.1, will be calculated in accordance with Attachment 2. Service Credits may be recovered by the Adopter as a credit against the next invoice which may subsequently be due for issue under this Agreement in accordance with above Section 6 or, if no such invoice is due, as a debt due by the Provider and payable within 30 (thirty) days after demand. Service Level Agreement
  23. 23. 23 Section 7: Service credits 7.3 The payment of the Service Credits under the above Section 7.1 states Provider's sole and entire obligation and liability, and Adopter's sole and exclusive right and remedy for any failure to meet the Service Levels under this Agreement. [ALTERNATIVE – 7.3 The payment of the Service Credits under the above Section 7.1 shall not limit the Adopter's right to claim compensation for any further damage and any other rights and remedies for the Provider’s failure to meet any Service Level in accordance with the terms and conditions of Section 12.2.2 below.] Service Level Agreement
  24. 24. 24 Adopter's preliminary actions (main) – get a clear picture • What type of data will be processed under the Services? Are all or part of them personal data? • Categorize them: are they special categories of data (e.g. health data) or other types of data that need to comply with specific restrictions under the applicable DP law? [impact on transfer and/or security requirements] • Identify the chain of control on the data (e.g. is the Adopter a data processor or a data controller in relation to them?) [if data processor, consider conditions of subprocessing under the main contract] • Be transparent to the Provider about your data processing Data Protection – Prepare for SLA
  25. 25. 25 Adopter's preliminary actions (main) – get a clear picture (2) • Ask for (and understand) details of the data processing operations under the Services (what operations are done, how, where). Be active (not passive) when interacting with the Provider and get the essentials about the data processing: positive impact for both of you • Check for the Provider's certifications or adherence to Codes of Conducts, if any [benefit of certain simplifications] • Check your documentation with the data subjects to ensure it covers the data processing under the Service (notice and consent if required) • Check if peculiarities in the processing require a prior consultation/authorization by the DPA Data Protection – Prepare for SLA
  26. 26. 26 Provider's preliminary actions (main) • Be clear on the data processing operations under the Services (what operations are done, how, where) • Understand what are type of data will be processed under the Services? Are all or part of them personal data? • Set up in advance, on a standardized basis, your contractual arrangements with subcontractors to meet the data protection obligations applicable to your types of Services • Be prepared to show the subcontracting chain, if any Data Protection – Prepare for SLA
  27. 27. 27 Provider's preliminary actions (2) • Consider getting approved Certifications and/or adhering to approved Codes of Conduct • Assessing the risk and have a data breach and security incident response plan • Have security details about the Services documented (with a reasonable level of details) • Set up monitoring tools for SLA, including security Data Protection – Prepare for SLA
  28. 28. 28 • Adapt Attachment 5 to the specificities of the Service(s) under the CSA: o 4.1 (a) details of categories of personal data o 4.1 (b) categories of data subjects o Identify the governing data protection law • Set up a list of existing subcontractors and details of their subprocessing operations • Sign the SCCs or identify any alternative legal basis for the transfer of data outside the EU, if any • Set up a data breach and incident reporting team • Have a security requirement attachment drafted for the Service (Attachment 6) Data Protection – Adapting the model
  29. 29. 29 Any questions ? Should you have any question, please ask or feel free to email your questions to: - daniel.field@atos.net (SLALOM Project Coordinator) - gianmarco.rinaldi@twobirds.com - debora.stella@twobirds.com
  30. 30. 30 SLALOM is a CSA financed by European Commission under Grant agreement 644270 For more information on the initiative contact us: @CloudSLAlom www.SLALOM-Project.eu SLALOM Project Coordinator (daniel.field@atos.net)

×