Cloud computing—data protection
Cloud computing—data protection

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Cloud computing—data protection
  • Brexit
  • Cloud computing and the GDPR
  • General obligations on customers (as controllers)
  • Specific obligations on customers (as controllers) under Article 28
  • International personal data transfers
  • Obligations on suppliers (as processors)
  • Sub-processing
  • Standard processing clauses, approved codes of conduct and certification schemes
  • Sanctions and enforcement
  • more

This Practice Note on data protection and business-to-business cloud computing, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) solutions, provides guidance on:

  1. the implications of Brexit for the subject matter of this Practice Note

  2. Cloud computing and the GDPR

  3. General obligations on customers (as controllers)

  4. Specific obligations on customers (as controllers) under Article 28

  5. International personal data transfers

  6. Obligations on suppliers (as processors)

  7. Sub-processing

  8. Standard processing clauses, approved codes of conduct and certification schemes

  9. Sanctions and enforcement

  10. Considerations for cloud customers

  11. Considerations for cloud suppliers

  12. Negotiating cloud contracts

  13. Other information laws

  14. Overseas data protection laws

  15. Conflict of laws and the US CLOUD Act

This Practice Note covers the law under the General Data Protection Regulation (the GDPR) regime as it applies in the UK.

As further explained below, in the context of cloud computing, the customer will generally be a controller and the supplier a processor. Unless stated otherwise, references to the supplier or to the customer in this Practice Note will be to the supplier acting as a processor and the customer acting as a controller under the GDPR.

For a comprehensive introduction to the GDPR, collating key practical guidance, see: GDPR toolkit.

For further guidance on cloud computing, see Practice Notes: Cloud computing—introduction and Cloud computing—key legal issues.

Brexit

On 31 January 2020,