Cloud computing—data protection

The following TMT practice note provides comprehensive and up to date legal information covering:

  • Cloud computing—data protection
  • In brief
  • Topics covered in this Practice Note
  • Scope of this Practice Note
  • Cloud computing and the GDPR regimes
  • Guidance from supervisory bodies
  • Contract or other legal act
  • Meaning of processing and personal data under the GDPR regimes
  • Controllers and processors
  • General obligations on customers (as controllers)
  • More...

Cloud computing—data protection

In brief

Data protection laws in both the EEA (the EU plus Iceland, Norway, and Liechtenstein) and UK seek to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly. To help ensure that, both EEA and UK data protection laws impose a large number of obligations on those ‘processing’ personal data. ‘Processing’ is broadly defined to include doing most things with data, including storing, deleting, collecting, disclosing or using it.

One of the key protections under both EEA and UK data protection laws is the obligations placed on ‘controllers’ (usually meaning those that decide the purposes and means of processing) and ‘processors’ (those that process personal data on behalf of a controller further to the controller’s instructions). Among other things, EEA and UK data protection laws usually require controllers and processors to put in place contracts containing certain minimum provisions and ensure any processor(s) they engage are suitable. In a cloud computing arrangement, the end customer will often act as controller and the supplier as its processor.

This Practice Note introduces the requirements under EEA and UK data protection laws in the context of a business-to-business cloud computing, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) solutions, where a supplier will process personal data as processor on behalf of

Popular documents