Data Processing Agreement
In the first stage of the CPC, we check whether the given fact pattern includes any personally identifiable information.
If the answer is NO then no data protection related measures are required. The only instrument in place is the service contract between the cloud service provider and the cloud service customer.
If the answer is YES, the second test of the Cloud Privacy Check must be performed.
In the second stage of the CPC, we check whether a third party, involved within the cloud setup, processes personal data or has access to personal data.
The technical design of the service, as provided, is crucial. Therefore, a lawyer must analyse and understand the technical setup, i.e. the service design. Within the service design, a point of change can be defined. If the point of change is not exceeded the setup has no specific data protection relevance. Then, the analysis under the CPC can be stopped. The sole instrument in place will be the service agreement between the cloud service customer and the cloud service provider.
If the delineation marked by the point of change has been exceeded further controls will need to be implemented. In particular, a data processing agreement must be entered into.This is in addition to the service agreement. After the second stage, the third and the fourth tests must be performed.
In stage three of the CPC, we check whether data leaves the home jurisdiction of the cloud service customer.
If the answer is NO, then no data protection instrument is required under this test and the analysis can proceed to the fourth test.
If the answer is YES then the crossborder „package“ must be activated. This package involves some paperwork (the EU model agreement with the cloud service provider, activation of the Privacy Shield regime and respective notifications to authorities, if required). Afterwards the fourth step is to be performed.
In the fourth test, we consider whether the cloud provider uses subcontractors.
If the answer is NO, then the cloud privacy check can be completed and no additional instrument needs to be deployed.
If the answer is YES the set of measures we refer to as the „subcontractor package“ must be implemented.
This package requires the cloud service provider to impose the obligations it has, in regards to the cloud service customer, onto the subcontractor. In addition, the cloud service customer should be informed of the fact that subcontractors are involved and where they operate. The action item in question here is „Notification to the Cloud Service Customer”. The purpose of this measure is to increase transparency.
UK submission contributed by: