Cloud computing—data protection
Cloud computing—data protection

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Cloud computing—data protection
  • Cloud computing and the GDPR
  • General obligations on customers (as controllers)
  • Specific obligations on customers (as controllers) under Article 28
  • International personal data transfers
  • Obligations on suppliers (as processors)
  • Sub-processing
  • Standard processing clauses, approved codes of conduct and certification schemes
  • Sanctions and enforcement
  • Considerations for cloud customers
  • more

This Practice Note on data protection and business-to-business cloud computing, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) solutions, provides guidance on:

  1. Cloud computing and the GDPR

  2. General obligations on customers (as controllers)

  3. Specific obligations on customers (as controllers) under Article 28

  4. International personal data transfers

  5. Obligations on suppliers (as processors)

  6. Sub-processing

  7. Standard processing clauses, approved codes of conduct and certification schemes

  8. Sanctions and enforcement

  9. Considerations for cloud customers

  10. Considerations for cloud suppliers

  11. Negotiating cloud contracts

  12. Other information laws

  13. Overseas data protection laws

  14. Conflict of laws and the US CLOUD Act

This Practice Note covers the law under the General Data Protection Regulation (the GDPR) regime as it applies in the UK.

As further explained below, in the context of cloud computing, the customer will generally be a controller and the supplier a processor. Unless stated otherwise, references to the supplier or to the customer in this Practice Note will be to the supplier acting as a processor and the customer acting as a controller under the GDPR.

For a comprehensive introduction to the GDPR, collating key practical guidance, see: GDPR toolkit.

For further guidance on cloud computing, see Practice Notes: Cloud computing—introduction and Cloud computing—key legal issues.

Cloud computing and the GDPR

If the supplier does not process any personal data, then there is