{"id":2960,"date":"2019-03-15T23:40:10","date_gmt":"2019-03-15T22:40:10","guid":{"rendered":"http:\/\/mouillere.com\/universconvergents\/?p=2960"},"modified":"2019-03-27T15:53:35","modified_gmt":"2019-03-27T14:53:35","slug":"rgpd-eba-et-externalisation","status":"publish","type":"post","link":"https:\/\/mouillere.com\/universconvergents\/2019\/03\/15\/rgpd-eba-et-externalisation\/","title":{"rendered":"RGPD, EBA et externalisation"},"content":{"rendered":"\n

Le pertinent cabinet d\u2019avocats Lexing Alain Bensoussan Avocats a \u00e9mis ses recommandations pour rationaliser les proc\u00e9dures et couts relatifs aux exigences de l\u2019Autorit\u00e9 bancaire europ\u00e9enne (EBA) et \u00e0 celles du RGPD. En effet, l\u2019EBA a rendu public le 25 f\u00e9vrier 2019 les conclusions de sa consultation lanc\u00e9e en juin 2018 sur les lignes directrices encadrant l\u2019externalisation notamment dans le cadre de la gestion des op\u00e9rations de sous-traitance au sens du RGPD. <\/p>\n\n\n\n\n\n\n\n

Selon l\u2019EBA, les \u00e9tablissements de cr\u00e9dit et de paiement doivent tenir \u00e0 jour un registre des externalisations et documenter l\u2019ensemble des accords d\u2019externalisation avec notamment : <\/p>\n\n\n\n

1) la date de d\u00e9but, la date du prochain renouvellement de contrat, la date de fin et\/ou la p\u00e9riode de pr\u00e9avis ; <\/p>\n\n\n\n

2) une br\u00e8ve description de la fonction externalis\u00e9e incluant les donn\u00e9es et le cas \u00e9ch\u00e9ant s\u2019il s\u2019agit de donn\u00e9es \u00e0 caract\u00e8re personnel ; <\/p>\n\n\n\n

3) le nom du prestataire et le ou les pays dans lesquels le service est r\u00e9alis\u00e9 ; <\/p>\n\n\n\n

4) si l\u2019externalisation porte sur une fonction critique ou importante (dans cette hypoth\u00e8se des informations additionnelles doivent \u00eatre conserv\u00e9es) ; <\/p>\n\n\n\n

5) s\u2019il s\u2019agit d\u2019un prestataire de Cloud, etc. <\/p>\n\n\n\n

Or, si le RGPD n\u2019impose pas de tenir un registre des sous-traitants, le respect de l\u2019article 28 du RGPD suppose la mise en en place d\u2019un programme de gestion des sous-traitants. Dans la mesure o\u00f9 les \u00e9tablissements doivent collecter au titre du RGPD des informations similaires \u00e0 celles mentionn\u00e9es par l\u2019EBA, il serait rationnel de de regrouper l\u2019ensemble de ces informations dans un m\u00eame fichier. <\/p>\n\n\n\n

L\u2019EBA recommande par ailleurs de proc\u00e9der \u00e0 une \u00e9valuation du prestataire avant de proc\u00e9der \u00e0 cette externalisation. Si l\u2019externalisation comporte des donn\u00e9es personnelles, l\u2019\u00e9tablissement doit s\u2019assurer que le prestataire prend des mesures techniques et organisationnelles appropri\u00e9es pour les prot\u00e9ger. L\u2019article 28 pr\u00e9cise \u00e9galement que l\u2019\u00e9tablissement doit faire uniquement appel \u00e0 des sous-traitants qui pr\u00e9sentent des garanties suffisantes quant \u00e0 la mise en \u0153uvre de mesures techniques et organisationnelles appropri\u00e9es. <\/p>\n\n\n\n

L\u2019EBA fixe la liste des mentions devant figurer dans l\u2019accord d\u2019externalisation telles que des \u00e9l\u00e9ments relatifs \u00e0 la s\u00e9curit\u00e9 des donn\u00e9es, \u00e0 la sous-traitance de la prestation, au droit d\u2019audit de l\u2019\u00e9tablissement \u00e0 l\u2019initiative de l\u2019op\u00e9ration, etc., ce qui n\u2019est pas sans rappeler les exigences de l\u2019article 28 du RGPD. <\/p>\n\n\n\n

A l\u2019instar du RGPD, les lignes directrices de l\u2019EBA sur l\u2019externalisation applicables \u00e0 compter du 30 septembre 2019 imposent donc la mise en place d\u2019une v\u00e9ritable politique d\u2019externalisation et la d\u00e9signation d\u2019une fonction en charge de ces op\u00e9rations. Compte tenu des similitudes entre l\u2019EBA et le RGPD pour la gestion des sous-traitants, il est donc recommand\u00e9 de regrouper et rationnaliser les proc\u00e9dures. <\/p>\n\n\n\n

2019-02-25-EBA Guidelines on outsourcing arrangements<\/a>T\u00e9l\u00e9charger<\/a><\/div>\n\n\n\n

https:\/\/www.alain-bensoussan.com\/avocats\/recommandations-de-lautorite-bancaire-europeenne-sur-lexternalisation-et-rgpd\/2019\/03\/14\/ <\/a><\/p>\n\n\n\n

https:\/\/eba.europa.eu\/-\/eba-publishes-revised-guidelines-on-outsourcing-arrangements <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Le pertinent cabinet d\u2019avocats Lexing Alain Bensoussan Avocats a \u00e9mis ses recommandations pour rationaliser les proc\u00e9dures et couts relatifs aux exigences de l\u2019Autorit\u00e9 bancaire europ\u00e9enne (EBA) et \u00e0 celles du… <\/p>\n","protected":false},"author":1,"featured_media":2962,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[87,16],"tags":[65],"class_list":["post-2960","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-banking-payment","category-donnees-personnelles","tag-rgpd"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2019\/03\/1280px-European_Banking_Authority_svg.png?fit=1280%2C501&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6jw1p-LK","jetpack-related-posts":[{"id":2692,"url":"https:\/\/mouillere.com\/universconvergents\/2017\/10\/13\/la-deontologie-du-numerique\/","url_meta":{"origin":2960,"position":0},"title":"La d\u00e9ontologie du num\u00e9rique","author":"Fred","date":"13 octobre 2017","format":false,"excerpt":"L\u2019Ordre des avocats au barreau de Paris a publi\u00e9 un excellent guide pour r\u00e9pondre aux questions d\u00e9ontologiques des avocats et de leurs prestataires sur la s\u00e9curisation et\u00a0l\u2019externalisation de certains services ou donn\u00e9es du cabinet (Cloud Computing) et la mise en \u0153uvre de ses outils de communication (site web, r\u00e9seaux sociaux,\u2026","rel":"","context":"Dans "Avocat"","block_context":{"text":"Avocat","link":"https:\/\/mouillere.com\/universconvergents\/category\/avocat\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2017\/10\/logo-nv-barreau-de-paris.jpg?fit=650%2C292&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2017\/10\/logo-nv-barreau-de-paris.jpg?fit=650%2C292&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2017\/10\/logo-nv-barreau-de-paris.jpg?fit=650%2C292&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":5461,"url":"https:\/\/mouillere.com\/universconvergents\/2023\/03\/19\/rgpd-procedures-judiciaires\/","url_meta":{"origin":2960,"position":1},"title":"RGPD & proc\u00e9dures judiciaires","author":"Fred","date":"19 mars 2023","format":false,"excerpt":"Le RGPD s\u2019applique aux traitements de donn\u00e9es personnelles effectu\u00e9s par des personnes priv\u00e9es mais \u00e9galement par des autorit\u00e9s publiques, notamment les autorit\u00e9s judiciaires. \u00a0 \"Le traitement de donn\u00e9es \u00e0 caract\u00e8re personnel pour une fin autre que celle pour laquelle ces donn\u00e9es ont \u00e9t\u00e9 collect\u00e9es doit non seulement \u00eatre fond\u00e9 sur\u2026","rel":"","context":"Dans "Avocat"","block_context":{"text":"Avocat","link":"https:\/\/mouillere.com\/universconvergents\/category\/avocat\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/10\/justice.jpg?fit=1076%2C1111&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/10\/justice.jpg?fit=1076%2C1111&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/10\/justice.jpg?fit=1076%2C1111&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/10\/justice.jpg?fit=1076%2C1111&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/10\/justice.jpg?fit=1076%2C1111&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":2781,"url":"https:\/\/mouillere.com\/universconvergents\/2018\/07\/31\/psd2-et-rgpd\/","url_meta":{"origin":2960,"position":2},"title":"PSD2 et RGPD","author":"Fred","date":"31 juillet 2018","format":false,"excerpt":"Le pr\u00e9curseur cabinet d'avocats Alain Bensoussan a publi\u00e9 un article int\u00e9ressant sur la position du\u00a0Comit\u00e9 europ\u00e9en de la protection des donn\u00e9es sur l\u2019articulation entre\u00a0PSD2 et RGPD. \u00ab Les prestataires de services de paiement n\u2019ont acc\u00e8s \u00e0 des donn\u00e9es \u00e0 caract\u00e8re personnel n\u00e9cessaires \u00e0 l\u2019ex\u00e9cution de leurs services de paiement, ne\u2026","rel":"","context":"Dans "Donn\u00e9es personnelles"","block_context":{"text":"Donn\u00e9es personnelles","link":"https:\/\/mouillere.com\/universconvergents\/category\/it\/donnees-personnelles\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/07\/20160428123312-FinTech-1.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/07\/20160428123312-FinTech-1.jpeg?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/07\/20160428123312-FinTech-1.jpeg?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/07\/20160428123312-FinTech-1.jpeg?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2018\/07\/20160428123312-FinTech-1.jpeg?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3544,"url":"https:\/\/mouillere.com\/universconvergents\/2020\/01\/14\/rgpd-laccountability-concretement-cest-quoi\/","url_meta":{"origin":2960,"position":3},"title":"RGPD : l’accountability, concr\u00e8tement, c’est quoi ?","author":"Fred","date":"14 janvier 2020","format":false,"excerpt":"Le Village de la Justice consacre un article listant les documents devant composer le dossier de conformit\u00e9\u00a0 selon le principe d'accountability de l\u2019article 5 du RGPD qui impose aux entreprises de mettre en \u0153uvre des m\u00e9canismes et des proc\u00e9dures internes permettant de d\u00e9montrer \u00e0 tout moment le respect des r\u00e8gles\u2026","rel":"","context":"Dans "Donn\u00e9es personnelles"","block_context":{"text":"Donn\u00e9es personnelles","link":"https:\/\/mouillere.com\/universconvergents\/category\/it\/donnees-personnelles\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2020\/01\/accountability.png?fit=670%2C395&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2020\/01\/accountability.png?fit=670%2C395&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2020\/01\/accountability.png?fit=670%2C395&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":5300,"url":"https:\/\/mouillere.com\/universconvergents\/2022\/10\/12\/define-pour-evaluer-le-montant-des-amendes-rgpd\/","url_meta":{"origin":2960,"position":4},"title":"DeFine pour \u00e9valuer le montant des amendes RGPD","author":"Fred","date":"12 octobre 2022","format":false,"excerpt":"Le cabinet d'avocats Keller and Heckman a lanc\u00e9 l'outil DeFine pour \u00e9valuer le montant des amendes en fonction d'une typologie de manquements au RGPD.","rel":"","context":"Dans "Donn\u00e9es personnelles"","block_context":{"text":"Donn\u00e9es personnelles","link":"https:\/\/mouillere.com\/universconvergents\/category\/it\/donnees-personnelles\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2022\/10\/DeFine-scaled.jpg?fit=1200%2C525&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2022\/10\/DeFine-scaled.jpg?fit=1200%2C525&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2022\/10\/DeFine-scaled.jpg?fit=1200%2C525&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2022\/10\/DeFine-scaled.jpg?fit=1200%2C525&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/mouillere.com\/universconvergents\/wp-content\/uploads\/2022\/10\/DeFine-scaled.jpg?fit=1200%2C525&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3761,"url":"https:\/\/mouillere.com\/universconvergents\/2020\/02\/26\/lignes-directrices-du-cepd-sur-la-surveillance-video\/","url_meta":{"origin":2960,"position":5},"title":"Lignes directrices du CEPD sur la surveillance vid\u00e9o","author":"Fred","date":"26 f\u00e9vrier 2020","format":false,"excerpt":"Le Comit\u00e9 Europ\u00e9en de la Protection des Donn\u00e9es (CEPD \/ ex-G29) vient de publier ses lignes directrices sur la vid\u00e9osurveillance et la vid\u00e9oprotection. La vid\u00e9osurveillance d\u00e9signe un dispositif de s\u00e9curit\u00e9 constitu\u00e9 de cam\u00e9ras qui filment les \u00e9v\u00e9nements qui se produisent dans un espace priv\u00e9, un domicile ou un local professionnel\u2026","rel":"","context":"Dans "Donn\u00e9es personnelles"","block_context":{"text":"Donn\u00e9es personnelles","link":"https:\/\/mouillere.com\/universconvergents\/category\/it\/donnees-personnelles\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/posts\/2960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/comments?post=2960"}],"version-history":[{"count":1,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/posts\/2960\/revisions"}],"predecessor-version":[{"id":2963,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/posts\/2960\/revisions\/2963"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/media\/2962"}],"wp:attachment":[{"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/media?parent=2960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/categories?post=2960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mouillere.com\/universconvergents\/wp-json\/wp\/v2\/tags?post=2960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}