CHAPTER 3: THE DATA CONTROLLER/DATA PROCESSOR RELATIONSHIP
Responsibility for compliance with the data processing principles and other aspects of the GDPR lies with the data controller (as defined in the previous chapter).
It is important to note that group-level responsibility for data protection compliance is not an option. Each legal entity – company, public body, institution, partnership or even an unincorporated charity – carries its own, separate responsibility.
The Cloud provider in many cases will be a data processor (also as previously defined), particularly if you store data in the Cloud. However, as discussed in the previous chapter, there may be cases where the Cloud provider is merely a ‘third party’. Either way, if you are the data controller, you must ensure that the Cloud provider processes personal data on your instructions only.
Although it would ultimately be for the courts to determine the exact role of a Cloud provider, it is always useful to establish a common view between the customer and the Cloud provider on what the relationship appears to be, as a basis for clarifying their respective responsibilities.
Where a data controller employs the services of a data processor or third party, responsibility for data protection compliance remains with the data controller.7 If data is lost in the Cloud, or if security is breached, the data controller is responsible for any harm caused to the individuals whose data it decided to place in the Cloud, and could be the subject of enforcement action taken by the supervisory authority.
Data controller–processor contracts
The GDPR is specific in its approach to the relationship between the organisation that carries the responsibility – the data controller – and any organisation to which work is outsourced – the data processor.
The Regulation requires there to be a “contract or other legal act between the controller and the processor”, setting out the relationship and imposing security obligations on the data processor. The GDPR states in Article 28(4) that such a legal act should provide “sufficient guarantees to implement appropriate technical and organisational measures” to meet its requirements. The data controller is also explicitly given the responsibility for assessing the adequacy of the data processor’s security and taking steps to verify it.
If there is any possibility, therefore, that the Cloud provider is a data processor, it would be very unwise for the customer (in this case, the controller) to proceed without a written contract that meets at least the minimum provisions in the GDPR.
Where Cloud services are provided on a bespoke basis, they may be the subject of contractual negotiations between the data controller and data processor. In such instances a contract can be drawn up that unequivocally meets the requirements of the Regulation.
However, in many cases – even for large business deals – the contract for Cloud services is set out in non-negotiable terms and conditions, or with very little scope for variation. If the Cloud provider does not offer terms and conditions that meet the GDPR’s requirements, there is little that can be done to get them added in.
Ideally, a data processor contract should also provide indemnity for the data controller against any costs resulting from the data processor’s failure to deliver. At the very least, the controller needs to provide clear instructions for the processor, including contract clauses making it clear that the processor is liable for any breaches as a result of not following the controller’s explicit instructions when processing personal data. This is not a legal requirement but makes sound commercial sense. The standard terms and conditions for Cloud services almost inevitably exclude any indemnity for a failure of the service, of course.
This does not mean, however, that the data controller should accept the data processor’s terms uncritically. They should be examined carefully to ensure that no unacceptable risks are being taken. If there are gaps, it may be necessary to consider additional measures that should be taken on the customer side to compensate for any deficiencies in the terms and conditions on offer from the supplier.
One particular concern should be the possibility that the Cloud provider subcontracts parts of its service, which may not be apparent from service descriptions or architectural diagrams. This subcontracting must be approved by the controller under Article 28(2) of the GDPR. As controller, you will need at least some understanding of how the Cloud architecture works in order to determine whether any other parties constitute sub-processors. The customer must be able to rely on the whole chain providing the necessary quality of service. Some of these links may be outside the EU or, more pertinently, outside the European Economic Area (EEA), which brings additional data protection considerations.
Following is a quick checklist for issues that a data processor contract (or terms and conditions) with a Cloud provider should ideally address if the application makes, or could make, any use of personal data. Please note that the list is not intended to be a complete or accurate description of the provisions that should be in a contract between the data controller and a Cloud-based data processor, and some of the points may not be relevant in every case.
1) Is it clear that the customer is the data controller and the Cloud provider is a data processor?
2) Is it clear what processing the Cloud provider is expected or entitled to carry out on the data controller’s data?
3) Is it explicit that all the customer’s data supplied is confidential (unless it is legitimately in the public domain), and that the Cloud provider is not to process the data or disclose except on the data controller’s instruction, or retain it after the contract ends or the data controller stops using the service?
4) Does the Cloud provider have adequate technical and organisational measures in place for effective security, and can the data controller audit this effectively?
5) Is there a requirement for the Cloud provider to inform the data controller immediately of any security breach they become aware of (whether they caused it or not)?
6) Does the Cloud provider indemnify the data controller for any costs incurred in rectifying data breaches brought about deliberately or negligently by the Cloud provider (ideally including costs of reassuring affected individuals, even if this is not legally required)?
7) Is the Cloud provider required not to do anything that would put the data controller in breach of the GDPR?
8) Is the Cloud provider required to promptly forward all requests from data subjects exercising their rights, including data subject access requests (DSARs), and complaints about any of the processing to the data controller?
9) Is the Cloud provider required not to process the data, or allow it to be processed, outside the EEA (unless the data controller gives prior consent to do so)?
10) Is the Cloud provider prohibited from subcontracting any processing (or not to do so without the data controller’s prior consent)?
7 Unless the data processor or third party acts outside of the instructions of the data controller or otherwise breaches the GDPR.