Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

To be or not to be (a processor). That is the question.


In the case of a service provider that is not contracted by a controller to process personal data on its behalf but may gain custody of the controller’s personal data incidentally to the core services provided, should a contract with the controller-processor clauses required under GDPR Article 28 be drawn up?

In the run-up to the GDPR date of 25 May 2018, many of us received email requests to consent to processing – mostly to opt in to direct marketing. Many organisations also faced a wave of contract addenda adding new “GDPR clauses” to existing contracts because they were considered processors. 

In many cases, the addenda were necessary to comply with Article 28 of the GDPR. However, some service providers were overwhelmed by the sheer volume of clauses in these addenda in the context of the limited processing of personal data that was carried out.

There has been detailed analyses published to determine in which circumstances a service provider should be considered a controller or a processor. The Working Party 29 opinion  of 2010 is a definitive reference. However there are cases where the controller is contracting a service provider for services that do not involve “data processing” but during the provision of the service, there may be instances where personal data may be “processed” under the GDPR definition of “processing”.

An example is an IT hardware supplier who may be required to patch a router or a server or to carry out a repair or to trouble-shoot a fault. The supplier would be granted access to the device. In some cases, the supplier will need to take custody of the device. If the device stores any personal data, the supplier may be “processing” since the GDPR definition of processing includes “storage”.

The objective of the processor obligations under the GDPR are there to "avoid situations whereby processing by a third party on behalf of the controller of the file has the effect of reducing the level of protection enjoyed by the data subject." [Council of Europe Convention 108 ] To this end, in the scenario of the IT supplier, the mere custody of a device is enough to imply an obligation to safeguard that device against damage, theft or misuse. That obligation is not dependent on the case where it contains personal data. If it did, the consequences of theft or misuse would have more significant consequences than if it did not.

In the example, whether there should be controller-processor contract clauses with the IT supplier could hinge on whether the IT supplier gets custody of the device or when he is asked to perform some service that falls within the GDPR definition of “processing”. In practice, what often happens is that those clauses do get included is maintenance contracts or in the small print of a service sheet “just in case”. 


Article provided by: George Sammut - Founder/Member, Malta IT Law Association


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.