GDPR third countries

 

The GDPR regulates the transfer of personal data to third countries. In order to be authorised, the transfer must be based on either an adequacy decision, an adequate level of data protection, or one of the exceptions provided for in the GDPR.


Recital 101 provides guidance on the rules for transferring personal data to a third country

  • A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

 

Article 45 “Transfers on the basis of an adequacy decision” is invoked by the European Commission to determine whether a third country has an adequate level of protection or not.

The adoption of an adequacy decision based on Article 45 of the GDPR involves

  • A proposal from the European Commission
  • An opinion of the European Data Protection Committee
  • An approval by the representatives of the EU countries
  • Adoption of the decision by the European Commission 


At present only a limited list of third countries are considered to have adequate protection and are allowed to transfer personal data to their country.

The list of countries currently authorised by the European Commission is as follows.

  • Andorra,
  • Argentina,
  • Canada (commercial organisations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Republic of Korea,
  • Switzerland,
  • United Kingdom under the GDPR and LED.
  • Uruguay as offering adequate protection.
  • With the exception of the UK, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680).”


In the absence of an adequacy decision under Article 45 of the GDPR, Article 46 “Transfers subject to appropriate safeguards” provides a list of “appropriate safeguards” on which a transfer to a third country may also be based


T
hese appropriate safeguards can be of various kinds:

  • Binding Corporate Rules (Article 47 of the RGPD): These are internal binding corporate rules relating to transfers of personal data to countries outside the European Union. They therefore constitute an internal “Code of Conduct” within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees
  • Standard Contractual Clauses (Article 93(2)) adopted by the European Commission, which have very recently been recast as described below
  • Codes of conduct approved under Article 40
  • International agreements or administrative commitments

 

In the absence of an adequacy decision and appropriate safeguards given by Articles 45 and 46 of the GDPR, there is only one solution, and that is the exceptions provided for by Article 49 of the GDPR “Derogation for special situations”.


These exceptions are as follows

  • The data subject has given his/her explicit consent to the transfer
  • The transfer is necessary for the performance of a contract between the data subject Data subject and the RT / implementation of pre-contractual measures (or concluded In his or her interest if he or she is not party to the contract)
  • The transfer is necessary for important public interest reasons
  • The transfer is necessary for the establishment, exercise or defence of legal claims rights in a court of law
  • The transfer is necessary to protect the vital interests of the data subject
    and other persons
  • The transfer is made from a register which is intended to provide information to the public and is open to the public. information to the public and is open to consultation by the general public

Without an adequacy decision, appropriate safeguards, or derogations, the GDPR does not allow the transfer of personal data to a third country.


This article is only a short and incomplete one, but it aims to give you an idea of what the RGPD requires in certain situations. As non-compliance with the RGPD can lead to very heavy fines, I strongly advise you to ask your DPO or your RGPD consultant for advice and much more complete information
.

GDPR European Union representative

 

All companies, societies (or associations), wherever they are located in the world, whatever their size, whatever their sector of activity, whether they are public or private, must, as long as they deal with personal information of individuals located in Europe, comply with the GDPR regulation, otherwise they could be asked to pay large fines in case of control.

One of the obligations of the GDPR for companies based outside the EU, which deal with personal data of individuals located in Europe, is to appoint a GDPR representative in Europe. This is an obligation and not an option. However, there are circumstances where it is possible to be exempt from this obligation. There are therefore exemptions.

Let’s start with the definition of a GDPR representative as set out in Article 4(17).
What is a representative under the GDPR?

 

The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

The following is a brief summary of Recital 80 of the GDPR for ease of reading and understanding of what is the representative, how it will designed and what is role of the representative.The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

 

The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the “controller” in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

 

Here I will focus on the exemption from the appointment of a European GDPR representative, for entities based outside the EU.The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the “controller” in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

According to the GDPR, the following cases allow to be exempted from the appointment of a representative in the European Union.

These exemption possibilities are not cumulative. Only one of the cases needs to be present, and the exemption is not possible. This is most often the case for non-occasional processing. This is the end of this short article about the obligation for any entity located outside the European Union to process personal data of persons located in Europe, but also about the possibility of exemption from such designation.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

Re-use of personal data in the context of the GDPR

 

I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So first of all, what is personal data in the sense of the GDPR? Because many people don’t really know what personal data is and think that it is limited to names, surnames and addresses. But don’t worry, Article 4 gives the official definition of personal data.

 

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

The European Commission website provides a non-exhaustive list with examples of personal data.

 

  • A first and last name.
  • A personal address.
  • An e-mail address such as personalname@company.
  • An identity card number.
  • Location data (e.g. location data function on a mobile phone)*.
  • An Internet Protocol (IP) address.
  • A cookie identifier*.
  • Your phone’s advertising ID.
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 

This same site also gives a small list, also not exhaustive, of what is not personal data.

 

  • A business registration number.
  • An email address as info@company.com.
  • Anonymised data.

 

Having settled this, let‘s get back to the problem at hand: “I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So what elements do we have to answer:

 

  • Collection of personal data.
  • Collected before the GDPR, i.e. before May 2018
  • Collected for a specific purpose.

 

Whereas the GDPR requires a legal basis for the processing of personal data.
Whereas the GDPR requires a time limit for the retention period.
Whereas the processing has received consent for a specific purpose.

The elements of the answer obviously count for all types of personal data

Let us ask ourselves different questions:
What is the legal basis for the retention period? Is the retention period compatible with Article 5.e of the GDPR which states that personal data must be :

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

 

Is post-consent processing compatible with Article 5.b which requires that :

 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

And the answers to the questions we have asked ourselves will determine whether we can legally re-use the data collected.

 

  • If the retention period has been set to be compatible with Article 5.e of the GDPR, we have a first element that allows us to re-use this data. If the retention period is not compliant, we will not be able to re-use the data legally.
  • Then, if the retention period is compliant AND the purpose for re-using the personal data is respected and therefore remains the same as the initial consent, there is nothing to prevent the re-use.
  • On the other hand, if the retention period is compliant BUT the purpose for re-use of the data does not correspond to the purpose of the initial consent, then re-use is not allowed for this new purpose.

 

BUT it is a bit more complex than that, and the European Commission gives more guidance on the re-use of data for a new purpose.

 

If your company/organisation has collected data on the basis of a legitimate interest, contract or vital interests, it may be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

Attention should be paid to the following points:
– the link between the original purpose and the new or future purpose
– the context in which the data were collected (What is the relationship between your company/organisation and the data subject?)
– the type and nature of the data (Are they sensitive?);
– the possible consequences of the envisaged further processing (What impact will it have on the data subject?);
– the existence of appropriate safeguards (such as encryption or pseudonymization).

If your company/organisation wishes to use the data for statistical or scientific research purposes, there is no need for a compatibility test.
If your company/organisation has collected data on the basis of consent or in compliance with a legal requirement, no further processing beyond the areas covered by the original consent or legal provision is possible. Further processing would require a new consent or legal basis.

Examples
Further processing is possible.
A bank has a contract with a customer to provide a bank account and a personal loan. At the end of the first year, the bank uses the customer’s personal data to check whether he or she is eligible for a better type of loan and a savings plan. It informs the customer of this. The bank may process the customer’s data again because the new purposes are compatible with the original purposes.

Further processing is not possible.
The same bank wants to share the customer’s data with insurance companies, based on the same contract for a bank account and a personal loan. This processing is not allowed without the explicit consent of the customer as the purpose is not compatible with the original purpose for which the data were processed.

References
– Articles 5(1)(b), 6(4), 89(1); Recitals 39, 50
– Article 29 Working Party. Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203)

 

The outcome of the questions of re-use of personal data are therefore not so simple, and you will have to ask yourself different questions before knowing whether it will be possible or not to re-use personal data for a new purpose.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

 

Sources :
https://gdpr-text.com/ 
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en

 

 

 

 

0

Metasploitable


Metasploitable
is a Linux-based virtual machine.
It is intentionally vulnerable and can be used to be exploited legally. Metasploitable Project is created and maintained by Rapid7 Community (Metasploit-FrameWork Community). In simple terms, Metasploitable is a Linux-based operating system, specifically designed for practicing penetration testing skills, network security skills. It can be accessed online, or installed on a virtual machine, at which point you will need to download it by clicking on this link.

I will use it to make scan demonstrations with different tools in some following articles. It is of course obvious that to be able to use the different tools towards the vulnerable Metasploitable machine, this one will have to be booted!

0

Télécharger gratuitement le manuel officiel de Kali LInux

 

Kali Linux est une distribution basée sur Debian. Elle est le successeur de Backtrack. C’est un projet maintenu par Offensive Security qui est orienté test d’intrusion, analyse forensique, ingénierie inversée, audit de sécurité etc…
Cette distribution est la distribution favorite des professionnels de la sécurité de l’information dans le monde entier, elle contient plus de 600 des meilleurs outils préinstallés. Offensive Security propose le téléchargement gratuit d’un document en Anglais de 344 pages qui est considéré comme le premier manuel officiel de Kali Linux.
Que vous soyez débutant ou confirmé ce document sera pour tout le monde une mine d’or que vous consulterez régulièrement pour vous guider ou vous rafraichir la mémoire. En outre ce document pourra servir de feuille de route, de référence technique et de guide d’études pour ceux qui souhaiteraient suivre la certification KLCP (Kali Linux Certified Professional) proposée par Offensive Security.

Sans plus attendre voici donc le liens pour télécharger gratuitement et légalement le manuel.

https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf

 

N’oubliez pas que l’utilisation des différents outils et techniques pourrait dans certaines circonstances vous mettre hors la loi. Veuillez respecter la législation en vigueur en France en suivant les consignes que j’ai publie dans l’article intitulé “Rappel des textes en vigueur concernant les atteintes aux systèmes de traitement automatisé de données

0

Aidez la recherche grâce au calcul distribué avec BOINC

BOINC (Berkeley Open Infrastructure for Network Computing) est une plateforme logicielle de calcul distribué gratuite, open-source et multiplateformes (Windows, Mac, Linux et Android). Elle vous permettra de participer activement a la rechercher scientifique dans différents domaines telle que (liste non exhaustive): les sciences physiques, les mathématiques, mais aussi la biologie et la médecine. Les applications sont diverses et variées et chacun pourra faire son choix en faisant un tour sur le wiki des projets BOINC https://fr.wikipedia.org/wiki/Liste_des_projets_BOINC .  J’utilise personnellement BOINC depuis de nombreuses années en participant a divers projets concernant la recherche médicale, par exemple pour le recherche contre le cancer. c’est en voyant dans les réseaux sociaux diverses publications de type chaine de lettres que j’ai décidé de rédiger cet article.

Voici le projet qui me tiens a cœur et auquel  je participes personnellement. Projet Rosetta@home https://fr.wikipedia.org/wiki/Rosetta@home qui  outre la recherche dans le calcul de méthodes fondamentales, est directement liée à la recherche contre certaines maladies dont la malaria, la maladie du charbon, le HIV, la maladie d’Alzheimer, différents cancer, ainsi que divers virus.

 

Voila j’espère vous avoir sensibilisé un peu a d’autres activités qui sont possible de faire avec votre ordinateur, tablettes  et smartphone ! Vous pouvez tous aider la recherche et ce gratuitement, juste en partageant un peu de temps et de puissance de calcul avec BOINC.

0

Le Département de la défense des États-Unis se paye des hackers.

Une première pour le gouvernement Américain. En 2016 le D.O.D département de la défense des États-Unis s’est lancé dans son premier bug bounty “Hack the Pentagon program “, proposant par le biais du site HACKERONE a des Hackers “white hat” de tester la solidité de leur différents réseaux publics pour une durée de 24 jours. S’ensuivirent d’autre bug bounty incluant celui de l’US Army en 2016, qui a duré un peu plus de 3 semaine, ainsi que celui de l’US AirForce en avril 2017 qui a duré plus de 25 jours.

Pour le programme “Hack The Pentagon”. Parmi les 200 rapports  soumis, 138 ont été jugés “légitimes, uniques et éligibles à une prime”, faisant gagner aux 250  hackers éligibles a ce challenge un total de 75.000 $ en récompenses totales. Le premier rapport ayant été remis au bout de 13 minutes. Le plus jeune participant avait 14 ans et le plus âgé en avait 53. Parmi les différentes vulnérabilité découvertes une des plus critiques était une faille de type injection SQL qui fait partie du top 10 des vulnérabilités les plus répandues selon le top 10 de l’OWASP.

Le programme “Hack The Army” avait quand a lui 371 participants éligible a ce challenge  qui ont soumis un total de 416 rapports. Le premier rapport ayant été remis après seulement 5 minutes. La totalité des rapports jugés “légitimes, uniques et éligibles à une prime” au nombre de 118 on fait gagner aux hackers durant cette campagne une somme totale de 100.000$. Une vulnérabilité extrêmement critique a été découverte par un pirate informatique qui enchaînait créativement une série de bugs. Ce qui lui a permis d’accéder a un réseau interne au département de la défense des États-Unis, et qui n’aurait du être accessible qu’avec des informations d’identifications spéciales.

Ce fut ensuite le tour du programme “Hack The US Air Force” qui fut aussi très productif. Le premier rapport a été remis au bout de 1 minute. 272 pirates éligibles a ce challenge  participèrent a ce bug bounty.  Parmi le rapports jugés “légitimes, uniques et éligibles à une prime” pas moins de 207 vulnérabilités uniques ont été découvertes. Faisant gagner un total de pas moins de 130.000$ aux divers participants. Un participant âgé de 17 ans a même trouvé plus de 30 vulnérabilités a lui tout seul. Un  “Hack The US Air Force 2.0” à également eu lieux entre décembre 2017 et janvier 2018.

Avant que le D.O.D ait commencé ses programmes de bug bounty, il aurait été impensable car totalement illégal pour ces pirates de faire une recherche de vulnérabilité sur les différents sites web publics du département de la défense, même si leur but avait été de dévoiler les différentes failles au D.O.D.

Voici donc un bel exemple de prise de conscience en matière de cybersecurité en impliquant légalement les Hackers “White Hat” dans le processus de reconnaissance des problèmes. Une phase très importante dans la sécurisation des réseaux. Un bel exemple que devraient suive tous les Opérateurs d’Importance Vitale (O.I.V), ainsi que les différents organismes gouvernementaux.