GDPR & Cloud Computing - Controllers & Processors

Do you use SaaS technology, cloud software or carry out cloud computing as part of your business? Are you the provider of a SaaS or cloud solution?

If so - read on to understand your rights and responsibilities under the GDPR!

As we have seen in previous blog posts, it is usually accepted that a SaaS provider is acting as a data processor and its customers (i.e., the users of the solution) are data controllers in respect of the personal data that they process via the platform or service.

Under the GDPR, this means that each party in a SaaS relationship has its rights and obligations, whether they are acting as a data processor or data controller, a sub-processor or indeed if they are a data subject.

Here, we are going to focus on the obligations on controllers and processors in the cloud software and SaaS environment.

Controller obligations:

  • Entering into a Data Processing Agreement (DPA): The DPA must be completed in writing (including by electronic form). Article 28 of the GDPR sets the minimum requirements which must be included in a DPA, which are more onerous than those previously set out under the pre-GDPR law.

In practice it is usually the cloud service provider that provides the form of DPA to its customers. This is because we are talking about a highly standardised service with a high volume of customers.

The DPAs provided by the providers are drafted to reflect the processes and service delivery models applicable to their product. It is impossible for the providers to make any changes to their technology without updating the DPA.

In practice, this means that cloud service providers have limited flexibility negotiating terms due to the limitations of the service delivery model especially when compared with a traditional outsourcing provider which has a lot of flexibility negotiating since it is often providing a highly bespoke service or is dealing with only one customer.

  • Complying with European data transfer rules: For any of the major cloud providers this is more the rule than the exception, since cross border transactions and the transfer of personal data from the EU to outside the EEA are an everyday occurrence with the use major cloud providers.

Aside from many SaaS providers being based in the US, another reason for international data transfers in the cloud software environment is that cloud service providers will make use of legal entities in various jurisdictions around the globe to make sure that they can deliver 24/7 technical support, maintenance and monitoring.

For controllers, this means making sure that your cloud solution suppliers have appropriate international transfer mechanisms in place.

  • European controllers have a legal obligation to conduct due diligence on their cloud service providers:

It is customary to have security workshops between the cloud service providers and the customers to understand how providers handle security and put in place measures. Questionnaires are also widely used. When customers have a panel of selected cloud service providers, they will frequently send security questionnaires to compare the performance of the different cloud service providers.

  • Certification and audit: Many cloud providers use ISO 27001 and ISO 27018 to audit and have an in-depth analysis of the security measures that the cloud service providers deploy which reassure customers. This means that controllers need to verify what security mechanisms are in place to safeguard personal data in the absence of such certification.

Audits of multi tenancy cloud computing services are very reliable because any new auditor is auditing the system used by all the customers. This is not the case with a classic outsourcing provider made for only one customer.

However, for cloud computing, the general rule is that audit is replaced by reports and third-party audits. The documentation is provided to the customers, on site audit is always the last resort. 

Obligations on the processor

Traditionally, virtually all data protection obligations were placed on the controller, and to an extent, this is unchanged under the GDPR. The controller needs to ensure consent and information of the data subject as well as a lawful basis for processing under the GDPR. However, the GDPR takes it one step further by also putting obligations on processors:

  • Obligation to provide assistance: These are basic requirements that need to be contractually agreed in the DPA. The processor needs to assist the controller to preserve the rights of individual data subjects.

In a Saas context, such assistance will be delivered in a self-service way. The service must allow to extract a copy of the individual’s data, the controller should be able to modify the information if requested by the individual.

For example, if the data controller discovers that there is a need to carry out a data impact assessment, the processor will need the assistance of the processor, which must comply with that request.

  • Processors can be fined if they don’t comply with their direct obligations:

The maximum amount for fines has increased under the GDPR: EUR 20 million is now the minimum and this can be increased up to 4% of the total turnover. Fines can therefore be tremendous, albeit to date, fines given under the GDPR by national supervisory authorities so far have yet to reach these proportions.

However, there is no clear guidance yet as to what happens when the customer (i.e., the controller) is fined because of the provider’s (processor) failure to comply with its GDPR obligations.

This is an ongoing issue and makes us wonder who is going to be responsible for fines, and how will they be proportioned in practice?

  • Cross border data transfers: Again it used to be the controller’s obligation only to ensure that any international transfers (i.e., transfers outside of the EEA) are compliant, but now the provider, in its capacity as processor, must also ensure that data transferred outside of the EEA is protected. 

  • GDPR creates shared responsibility between controllers and processors.

The processor must ensure general security and confidentiality of personal data that it processes, as well as the resilience of its systems. On the other hand, in a SaaS environment controllers are responsible for properly configuring the service (for example, by ensuring strong passwords and respecting the number of users and seats).

  •  Sub-processors:  For most SaaS and cloud software solutions to function, the provider will turn to third parties, which also act as data processors on its behalf (i.e., a sub-processor).

In a SaaS context, the customer generally authorises the use of the sub processors which must be disclosed, and the list must be updated regularly.

Customers can object and terminate the contract if they do not approve of the new sub-processors, although in reality, it is highly unlikely that many changes can be made by a SaaS provider on the basis of a single customer request - simply due to the non-bespoke nature of the services provided and the fact that the provider has usually entered into contractual arrangements with third party suppliers (acting as sub-processors) which have much stronger bargaining power - therefore such provisions need to be mirrored throughout the contractual chain to ensure that no party is in breach.

If you need any assistance in handling data protection issues with your SaaS providers or if you are a cloud software company requiring further information about the scope of your contractual arrangements with your customers, please feel free to get in touch.

Marie Mortreux, Legal Consultant @ Gerrish Legal / Charlotte Gerrish, Founding Lawyer @ Gerrish Legal

December 2018