Cloud Contracts: Impacts of GDPR on Joint Controllers
Cloud computing and joint controllers
As a rule, a service provider is generally the data processor of the personal data of its client, who is considered as the data controller. With cloud computing, this rule may be changed.
In 2012, in its recommendations for companies planning to use cloud computing services (3), the French data protection authority, the CNIL, already referred to the concept of joint controllers (cotraitance or responsabilité conjointe), acknowledging the fact that in some cases the cloud provider determines itself the means necessary for the envisaged processing of personal data (4).
For SaaS-type services (including business features) it is even, in a way, the purpose of the processing that is shared. This last point is particularly sensitive because some cloud companies claim to provide only a managed hosting service (of the IaaS type), and yet in their terms of service they reserve the right to access the data and perform their own processing.
In keeping with the CNIL’s position, Article 26 of the GDPR includes a clear definition of the concept of joint controller and specifies that joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation,” and in particular:
- the designation of a contact point for data subjects;
- the provision of the information referred to in Articles 13 and 14 of the GDPR.
To meet those transparency requirements, the parties should conclude an arrangement (Article 26(2)).
What’s the impact for cloud contracts?
The arrangement referred to in the GDPR must duly reflect the respective roles and relationships of the joint controllers towards the data subjects.
The essence of the arrangement must be made available to the data subject.
For any cloud contract (IaaS, PaaS, SaaS), the above-mentioned obligations of the GDPR regarding joint controllers may require the following:
- a clause “purpose” to determine the purpose or purposes of the processing shared, in whole or in part, between the parties;
- a clause “means” to determine the technical and organisational measures to be taken to implement the processing operation(s) in accordance with the Regulation and the accountability principle, and to divide, where appropriate, the corresponding technical responsibilities;
- a clause “Security” to present the physical and logical security policy agreed upon by the parties, in addition to the measures applicable in case of unauthorised intrusion (data breach process); this clause should be associated with an appendix dedicated to a security assurance plan,
- a clause “Contact Point” and “Information of the Data Subject” to specify who will actually respond to the data subject and ensure that his or her rights are effectively respected;
- a clause specifying if, when and how a processor can engage another processor;
- a clause “Confidentiality”, which should guarantee confidentiality not only from the employees of each joint controller, but also from any subcontractors or freelancers hired by either of the parties;
- the location of the data and the respective responsibilities in case of cross-border processing;
- the distribution of risks and responsibilities between the joint controllers, it being specified that each joint controller is jointly and severally liable to the data subject (Article 26 (3) of GDPR);
- clarifications on the termination of contractual relationships and the destruction of data in the cloud.
Beyond cloud computing, the concept of joint controller within the meaning of the GDPR may also be relevant in other circumstances, such as when data are exchanged between companies within the same group or belonging to the same distribution network.
- Directive 95/46/EC of 24-10-1995, Art. 2(d)
- Regulation 2016/679 of 27-4-2016
- CNIL, Recommendations, available in French and in English on www.cnil.fr, page 6
- Post of 23-7-2013
Article provided by: Eric Le Quellenec, Lexing Droit Informatique