An important development affecting all types of Cloud Computing
On 1st July 2012, an important EU Privacy Watchdog, the Article 29 Working Party, issued guidance on cloud computing. This guidance makes it clear that the user cannot simply rely on the cloud provider to ensure compliance with data protection legislation.The user must go to great lengths to ensure compliance, which includes taking the following steps:
- Carefully selecting a cloud provider that guarantees compliance with data protection legislation and is willing to fully co-operate by providing all the information needed for the next stages.
- Undertaking a comprehensive and thorough risk analysis, paying particular attention to the applicable law, the technical and organisational measures that need to be taken at every stage of the process; the countries in which processing will take place and any sub-processors that will be involved.
- Negotiating a detailed contract with the cloud provider setting out:
- confirmation that the cloud provider will only act on the instructions of the user and will only use the personal information for specified purposes;
- details of the cloud provider’s guarantee of compliance with data protection legislation;
- the safeguards that will be implemented to protect against the risks identified by the risk analysis;
- how personal data will be protected when it is transferred to agreed countries outside the EEA (the consent of the data subject is not sufficient for this purpose);
- the obligation to obtain the user’s written consent before any personal data is transferred to any other country, or any sub-processor is appointed;
- mechanisms to allow the user to enforce the contract against any sub-processor and to terminate any contract with a sub processor.
- Agreeing detailed procedures by which any instructions will be given to the cloud provider and the cloud provider will ensure that data subjects’ rights are protected, e.g. notification of breaches and subject access rights.
- Undertaking monitoring and auditing to ensure the cloud provider is complying with the terms of the contract.
It is stressed that the user’s lack of negotiating power is not an acceptable reason for failing to take these steps and they apply to all types of cloud services, including data storage.
A copy of the full report, Opinion 5/2012, is available here.
To contact us, please complete the form below. We can then explain the requirements to you in more detail and help you through each stage of the process, to ensure you comply with your obligations under data protection legislation.
