Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Cloud Contracts: Impacts of GDPR on Joint Controllers


The GDPR clarifies the concept of “joint controllers”, which is of particular interest for the cloud computing community.

Already introduced in Directive 95/46/EC of 24 October 1995 (1) on the protection of personal data, that concept is now further detailed by the General Data Protection Regulation (“GDPR”) (2), which will apply as of 25 May 2018. What does this has to do with cloud computing? The joint controller concept can actually apply to cloud computing more often than you think.

Cloud computing and joint controllers 

As a rule, a service provider is generally the data processor of the personal data of its client, who is considered as the data controller. With cloud computing, this rule may be changed.

In 2012, in its recommendations for companies planning to use cloud computing services (3), the French data protection authority, the CNIL, already referred to the concept of joint controllers (cotraitance or responsabilité conjointe), acknowledging the fact that in some cases the cloud provider determines itself the means necessary for the envisaged processing of personal data (4).

For SaaS-type services (including business features) it is even, in a way, the purpose of the processing that is shared. This last point is particularly sensitive because some cloud companies claim to provide only a managed hosting service (of the IaaS type), and yet in their terms of service they reserve the right to access the data and perform their own processing.

In keeping with the CNIL’s position, Article 26 of the GDPR includes a clear definition of the concept of joint controller and specifies that joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation,” and in particular:

  • the designation of a contact point for data subjects;
  • the provision of the information referred to in Articles 13 and 14 of the GDPR.

To meet those transparency requirements, the parties should conclude an arrangement (Article 26(2)).

What’s the impact for cloud contracts?

The arrangement referred to in the GDPR must duly reflect the respective roles and relationships of the joint controllers towards the data subjects.

The essence of the arrangement must be made available to the data subject.

For any cloud contract (IaaS, PaaS, SaaS), the above-mentioned obligations of the GDPR regarding joint controllers may require the following:

  • a clause “purpose” to determine the purpose or purposes of the processing shared, in whole or in part, between the parties;
  • a clause “means” to determine the technical and organisational measures to be taken to implement the processing operation(s) in accordance with the Regulation and the accountability principle, and to divide, where appropriate, the corresponding technical responsibilities;
  • a clause “Security” to present the physical and logical security policy agreed upon by the parties, in addition to the measures applicable in case of unauthorised intrusion (data breach process); this clause should be associated with an appendix dedicated to a security assurance plan,
  • a clause “Contact Point” and “Information of the Data Subject” to specify who will actually respond to the data subject and ensure that his or her rights are effectively respected;
  • a clause specifying if, when and how a processor can engage another processor;
  • a clause “Confidentiality”, which should guarantee confidentiality not only from the employees of each joint controller, but also from any subcontractors or freelancers hired by either of the parties;
  • the location of the data and the respective responsibilities in case of cross-border processing;
  • the distribution of risks and responsibilities between the joint controllers, it being specified that each joint controller is jointly and severally liable to the data subject (Article 26 (3) of GDPR);
  • clarifications on the termination of contractual relationships and the destruction of data in the cloud.

Beyond cloud computing, the concept of joint controller within the meaning of the GDPR may also be relevant in other circumstances, such as when data are exchanged between companies within the same group or belonging to the same distribution network.


  1. Directive 95/46/EC of 24-10-1995, Art. 2(d)
  2. Regulation 2016/679 of 27-4-2016
  3. CNIL, Recommendations, available in French and in English on, page 6
  4. Post of 23-7-2013

Article provided by: Eric Le Quellenec, Lexing Droit Informatique

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.