Privacy Level Agreement

Back to discussions
Expand all | Collapse all

PLA WG Meeting Minutes, 19th November 2024.

  • 1.  PLA WG Meeting Minutes, 19th November 2024.

    Posted Dec 02, 2024 01:01:00 AM

    Dear members,

    Please find below the summary and minutes of the group's latest call on the 19th of November.

    Minutes:

    The working group call was focused on the ongoing activity of recommendations for the transition from the CSA Code of Conduct to the EU Code of Conduct.

    Clarifying Compliance and Subject Requests
    The team discussed a partial gap identified in the general mention of compliance with applicable EU laws in ensuring processing of personal data and subject requests. They identified a need for specificity in the first sentence, suggesting the addition of "including those of the EU" to ensure compliance with applicable data protection provisions. They also noted a discrepancy in the reference to the subject request, suggesting it should be addressed in the document on how to handle such requests. The conversation concluded with the understanding that the current general nature of the statements was not sufficient and needed to be more specific.
    Enabling Customer Information for CSP
    The group discussed the appropriate procedure for enabling customers to provide the CSP with necessary information. They agreed that the existing control they were reviewing covers the necessary requirements and that the main focus should be on enabling the customer to provide the CSP with information. They also discussed the need to specify the identity and contact details of the CSP's local representative, aligning with the GDPR's Chapter 4, Section 4. They concluded that the current procedures were generally in line with the requirements.
    Addressing Confidentiality Gaps and Training
    The team discussed potential gaps in confidentiality obligations and training requirements. Jacopo suggested addressing gaps by ensuring explicit post-termination confidentiality obligations, ongoing training, and documented procedures. They debated whether to make training review recommendations mandatory controls or leave them as suggestions.

    Next steps:

    • Louis ( @Louis Pinault) to review the recommendation for the record of processing activities (ROPA) provision

    • Jacopo to update the confidentiality obligation control with post-contract obligation to confidentiality continuation.

    • Jacopo to revise the training review process control, either replacing "should" with "shall" or rephrasing it as a recommendation.


    Next call: 10 December

    Time: 08:00 a.m. P.T. / 11:00 a.m. E.T. / 16:00 GMT

    URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09

    Meeting ID: 829 8738 2695
    Passcode: 794440

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------