Blog » CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
30 November 2017
It is hard to find anyone not using cloud services these days, but you might not think about the issues arising due to the storage of data in the cloud. If you want to choose the proper cloud service provider and avoid the huge fines of the European General Data Protection Regulation (GDPR), read this article, in which we gathered the key legal considerations before jumping into a cloud contract.
Who’s who in the cloud?
Based on GDPR the main addressee of data protection is the data controller, who in general responsible for compliance with the base principles of data protection, since he defines the objectives and means of data processing.
In addition, the natural persons concerned by the data processing can enforce their quite broadly defined rights set forth in the GDPR towards the data controller, so the latter is liable for respecting the data subjects’ rights and the effective enforcement of those rights
It is clear, that your company, as data controller, is responsible for the data of your employees, clients stored in-house, so you have to make the necessary internal measures to protect those personal data (e.g. protecting documents with passwords etc.).
At the same time, the question arises, whether your situation is the same, if you store the personal data of your employees and clients in the cloud. Does it change your legal status? Can you outsource your data protection obligations as data controller?
The answer is clear: no change.
Even if you outsource some activity to an external service provider (eg. Data storage) and you contract a cloud provider, the latter will act as data processor, while you will preserve your data controller status.
The data subjects can still enforce their rights based on the GDPR towards your company.
The situation of the cloud provider
Regarding the obligations and responsibility of the cloud provider towards your company, the provisions of the contract between you and the cloud provider will govern this relation.
In vast majority of cases this means the general terms & conditions of the cloud provider, published on its webpage with small letters, that you accepted by a simple mouse-click without really reading the text. This is the reality among the SMEs, where a truly negotiated cloud contract is as rare as hen’s teeth.
In other words, you as a data controller, are fully responsible for data processing towards the employee, client on the basis of law (GDPR), which obligation could be secured with a back-to-back contract concluded with your cloud provider.
However, you can not have any impact on the content of thet cloud contract, because the cloud provider is a big mammoth company, working with standard terms & conditions, and when you enter into the cloud contract, there is no bargaining, you take it or leave it.
Exclusions and limitations in cloud contracts
Not surprisingly, the general terms & conditions of the cloud provider is full of exclusions and limitation regarding the provider’s liability.
If you would take trouble over reading carefully the general terms and conditions, you would face that the cloud provider excludes its liability practically for everything: for the interruption of service, for the partial or total loss of data, for the destruction of data, for the non-availability of the service, etc.
Furthermore, cloud providers often exclude responsibility for accidental or consequential damage occurred as a result of data loss (e.g. lost profit, etc.), and if after all above mentioned exclusions, they would be still legally liable, they limit the indemnification for pecuniary and non-pecuniary damage to a quite low amount.
Lack of transparency, data transfer
It is a further risk if you use cloud service, that you cannot see who and where processes the data stored in cloud.
If you are not in the IT business, your company will likely use a so-called SaaS (Software as a Service) cloud service (e.g. Dropbox is a SaaS provider). A SaaS provider itself often use further cloud services, e.g. Dropbox uses Amazon Web Services as IaaS provider (Infrastructure as a Service).
In the above case you do not know on which server is your data stored. For example, if your data is stored on a server which is located outside the EU, it can amount to a data transfer to a third-country, which might infringe the GDPR, if the country does not provide a similar data protection level as the GDPR.
There are more solutions in order to mitigate the above risks, and by applying them together, you can decrease your exposure to a fine imposed for non-compliance with the GDPR:
1. It is worth to choose a cloud provider, who, as a data processor, guarantees at least that, it will support you as data controller to comply with your obligations towards data subjcets based on the GDPR.
2. In many cases, you can reach more favorable contract terms at cloud providers, if instead contracting with them directly, you conclude a contract through an integrator, who gathers more clients with similar needs and can reach better terms.
3. It is worth to choose a cloud provider who guarantees that he stores the data on servers located within the European Union and who undertakes not to transfer the data to third countries.
4. Within statutory limits, you can limit your responsibility for data breaches in the contracts you sign with employees, clients.
5. Last, but not least, the risks that cannot be addressed by one of the methods above, can be managed in the framework of insurance, by modifying the coverage of the insurance policy.
HOW NOT TO CONCLUDE AN INTERNATIONAL SALES CONTRACT? – OUR CLIENT’S CASE IN FRONT OF THE CURIA
Can the raw material supplier be liable for defects, if the specification is incomplete, but he knows what the end-product is? Who has to prove this under the Vienna Convention on the International sale of goods? These questions were decided by the Hungarian Supreme Court in the case of our Italian client, against a Hungarian company.Read more »
GDPR PENALTY FORECAST – OUR PRESENTATION AT BELGABIZ
How often did the Hungarian Data Protection Authority impose penalties in the last five years? What was the average amount of penalties? Will be there any change after 25th May 2018, when the GDPR comes into force? We addressed these questions in our presentation made at BELGABIZ.Read more »
HOW NOT TO USE CCTV AT WORKPLACE? – 15 MILLION FINE FOR AUCHAN HUNGARY
Auchan Hungary started this year with a HUF 15 Million data breach fine for operating CCTV at workplace in breach of data protection principles. Given that CCTV lies in the heart of GDPR entering into force in May 2018, it is worth to learn from the Auchan case so that you can avoid a similar penalty in Hungary.Read more »