Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Cloud Contracts: Impacts of GDPR on Processors

07.08.2017

The GDPR clarifies the clauses to be contained in a data processing agreement.

The new European Regulation does not change the concept of data processing, but impacts on the nature of the related obligations, which must translated into firm commitments in the cloud contract.

What does the GDPR say on data processing agreements?

The data processor is the person who processes personal data on behalf of the controller.

This is how, building on Directive 95/46/EC of 24 October 1995, the General Data Protection Regulation (“GDPR”) defines a “processor” in its Article 4(8). The GDPR (1) imposes new obligations on processors in order to increase the accountability of those who are usually responsible for manipulating a lot of data on behalf of the controller.

Article 28(3) of the GDPR lays down new obligations which must be reflected in the data processing agreement. These relate mainly to:

  • the subject-matter and duration of the processing of personal data;
  • the nature and purpose of the processing;
  • the obligations of security, warning and alert towards the controller.

What’s the impact for cloud contracts?

For any cloud contract (IaaS, PaaS, SaaS), the above-mentioned obligations of the GDPR regarding data processing may require the following:

  • a clause “Representations” containing representations from the controller to the processor regarding all relevant information on the purpose of the processing of personal data made using the means made available by the cloud provider;
  • a clause “Instructions” describing the instructions given by the client to the cloud provider and how the cloud provider must apply them;
  • a clause “Security” presenting the physical and logical security policy deployed by the cloud provider, in addition to the measures applicable in case of unauthorised intrusion (data breach process); this clause should be associated with an appendix dedicated to a security assurance plan;
  • a clause under which the processor agrees to cooperate in the event a data subject wants to exercise his or her rights;
  • a clause specifying if, when and how a processor can engage another processor;
  • a clause “Confidentiality”, which should guarantee confidentiality not only from the cloud provider’s own employees, but also from any subcontractors or freelancers hired by the cloud provider to assist in the performance of its obligations;
  • clauses on the provider’s obligation to inform (in general, and not only in the event of data breach) and the conditions for conducting audits;
  • the conclusion of standard contractual clauses (2) if the data are transferred outside the European Union to a country not considered as ensuring an adequate level of protection (if data are transferred to the United States, a specific framework may apply: the EU-U.S. Privacy Shield (3);
  • clarifications on the termination of contractual relationships and the destruction of data in the cloud.

Without prejudice to the provisions of the contract, Article 28 of the GDPR allows the processor to adhere to a code of conduct (Article 40) or to a certification mechanism (Article 42) to demonstrate that it provides sufficient guarantees to meet the requirements of the GDPR (Article 28(5)).

Despite those contractual provisions or certification procedures, it happens that a cloud provider manages the data entrusted to it almost autonomously. A cloud provider can hardly be regarded as the controller under the GDPR, but it may be considered a “joint controller” within the meaning of its Article 26. In such situations, insofar as a supervisory authority may decide to change that controller-processor relationship into a joint controllers’ one, the parties would be well-advised to proactively consider them as such and sign a joint controllers agreement reflecting the actual division of liability between them.

References:

  1. Regulation 2016/679 of 27-4-2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (“GDPR”).
  2. Chloé Torres, Oriane Zubcevic, Post of 7-12-2016.
  3. Céline Avignon, Post of 13-7-2016.

 

Article provided by: Eric Le Quellenec, Attorney-at-law, Member of the Paris Bar

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.at

VIEW PROJECT

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Data Privacy Compliance (DPC)/Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT, 2018

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.