Oppdatert Schrems II engelsk (#1485)

content/security/cloud/_index.en.md

@@ -81,13 +81,10 @@ DigDir/Altinn has accepted this risk.
 
 ## What about Schrems II?
 
-The Schrems II ruling from 2020 concerns personal data and transfers of such data to the USA or other so-called third countries in relation to the EU and EEA.
+If personal data is to be transferred from the EU/EEA to a third country, such as the USA, there must be a legal basis for the transfer according to the General Data Protection Regulation (GDPR). A widely used basis for transferring personal data to the USA was an agreement called the EU-US Privacy Shield. In the Schrems II ruling of 2020, this agreement was declared invalid. However, on July 10, 2023, a new framework for transferring personal data between the EU and the USA was introduced through an adequacy decision that took immediate effect. An adequacy decision is a decision by the EU Commission stating that an area outside the EU and EEA has rules that safeguard privacy in a manner comparable to that of EU and EEA countries. If the EU Commission has made such a decision, personal data can be transferred to the area in accordance with the decision, and the transfer will be comparable to transfers within the EEA. It is important to note that other requirements of data protection regulations must be followed, such as having a legal basis for processing and a data processing agreement if necessary. It is also important to assess subcontractors to see if they are certified and if they are located in third countries other than the USA, as this adequacy decision only applies to transfers to the USA.
 
-We refer to the assessment of privacy consequences (DPIA) that has been carried out for Altinn 3.
-Here, assessments are also made regarding the use of cloud service providers in the wake of the Schrems II ruling.
+This new framework, the EU-U.S. Data Privacy Framework, is a self-certification system where US businesses can become certified if they commit to processing personal data in accordance with the framework and provided they offer free and independent complaint mechanisms for individuals. If personal data is transferred to a certified US business, no other legal basis than this adequacy decision is required. It is also not necessary to assess the level of protection in the USA or to implement security measures. This specific interpretation of the effect of the adequacy decision is adopted by the Norwegian Data Protection Authority.
 
-Digdir has made its assessments of Altinn in the roles of data controller and data processor for personal data.
-However, the service owners, the organizations that use Altinn, are themselves responsible for the processing of
-personal data in their services - as well as for their employees' and consultants' use of Altinn and support tools.
-It is therefore important to emphasize that the service owners themselves must make
-their own assessments for their use and specific services in their role as data controllers.
+Microsoft Corporation is certified, and therefore the adequacy decision is a valid legal basis for any transfer of personal data from the EU/EEA to the USA. Microsoft Azure, like other cloud providers, extensively uses subcontractors and third parties, such as support centers in various locations worldwide. The Standard terms and conditions are designed so that the customer generally consents in advance to the provider using such subcontractors/sub-processors. As mentioned, Altinn 3 runs on Azure in Norwegian data centers. Data storage related to running services and end-users is done in Norway. Support may be provided in several different ways. Digdir will primarily use support services provided within Norway and the EU/EEA. It is Digdir itself that controls when and if to contact support personnel and what support providers should see and have access to.
+
+Furthermore, we refer to the Data Protection Impact Assessment (DPIA) carried out for Altinn 3. Digdir has made its assessments of Altinn in the roles of data controller and data processor for personal data. However, service owners, the businesses using Altinn, are the data controllers for the processing of personal data in their services—as well as for their employees' and consultants' use of Altinn and support tools. It is therefore important to specify that the service owners themselves must make their own assessments for their use and their specific services in their role as data controllers.