Blog » CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
30 November 2017
It is hard to find anyone not using cloud services these days, but you might not think about the issues arising due to the storage of data in the cloud. If you want to choose the proper cloud service provider and avoid the huge fines of the European General Data Protection Regulation (GDPR), read this article, in which we gathered the key legal considerations before jumping into a cloud contract.
Who’s who in the cloud?
Based on GDPR the main addressee of data protection is the data controller, who in general responsible for compliance with the base principles of data protection, since he defines the objectives and means of data processing.
In addition, the natural persons concerned by the data processing can enforce their quite broadly defined rights set forth in the GDPR towards the data controller, so the latter is liable for respecting the data subjects’ rights and the effective enforcement of those rights
It is clear, that your company, as data controller, is responsible for the data of your employees, clients stored in-house, so you have to make the necessary internal measures to protect those personal data (e.g. protecting documents with passwords etc.).
At the same time, the question arises, whether your situation is the same, if you store the personal data of your employees and clients in the cloud. Does it change your legal status? Can you outsource your data protection obligations as data controller?
The answer is clear: no change.
Even if you outsource some activity to an external service provider (eg. Data storage) and you contract a cloud provider, the latter will act as data processor, while you will preserve your data controller status.
The data subjects can still enforce their rights based on the GDPR towards your company.
The situation of the cloud provider
Regarding the obligations and responsibility of the cloud provider towards your company, the provisions of the contract between you and the cloud provider will govern this relation.
In vast majority of cases this means the general terms & conditions of the cloud provider, published on its webpage with small letters, that you accepted by a simple mouse-click without really reading the text. This is the reality among the SMEs, where a truly negotiated cloud contract is as rare as hen’s teeth.
In other words, you as a data controller, are fully responsible for data processing towards the employee, client on the basis of law (GDPR), which obligation could be secured with a back-to-back contract concluded with your cloud provider.
However, you can not have any impact on the content of thet cloud contract, because the cloud provider is a big mammoth company, working with standard terms & conditions, and when you enter into the cloud contract, there is no bargaining, you take it or leave it.
Exclusions and limitations in cloud contracts
Not surprisingly, the general terms & conditions of the cloud provider is full of exclusions and limitation regarding the provider’s liability.
If you would take trouble over reading carefully the general terms and conditions, you would face that the cloud provider excludes its liability practically for everything: for the interruption of service, for the partial or total loss of data, for the destruction of data, for the non-availability of the service, etc.
Furthermore, cloud providers often exclude responsibility for accidental or consequential damage occurred as a result of data loss (e.g. lost profit, etc.), and if after all above mentioned exclusions, they would be still legally liable, they limit the indemnification for pecuniary and non-pecuniary damage to a quite low amount.
Lack of transparency, data transfer
It is a further risk if you use cloud service, that you cannot see who and where processes the data stored in cloud.
If you are not in the IT business, your company will likely use a so-called SaaS (Software as a Service) cloud service (e.g. Dropbox is a SaaS provider). A SaaS provider itself often use further cloud services, e.g. Dropbox uses Amazon Web Services as IaaS provider (Infrastructure as a Service).
In the above case you do not know on which server is your data stored. For example, if your data is stored on a server which is located outside the EU, it can amount to a data transfer to a third-country, which might infringe the GDPR, if the country does not provide a similar data protection level as the GDPR.
There are more solutions in order to mitigate the above risks, and by applying them together, you can decrease your exposure to a fine imposed for non-compliance with the GDPR:
1. It is worth to choose a cloud provider, who, as a data processor, guarantees at least that, it will support you as data controller to comply with your obligations towards data subjcets based on the GDPR.
2. In many cases, you can reach more favorable contract terms at cloud providers, if instead contracting with them directly, you conclude a contract through an integrator, who gathers more clients with similar needs and can reach better terms.
3. It is worth to choose a cloud provider who guarantees that he stores the data on servers located within the European Union and who undertakes not to transfer the data to third countries.
4. Within statutory limits, you can limit your responsibility for data breaches in the contracts you sign with employees, clients.
5. Last, but not least, the risks that cannot be addressed by one of the methods above, can be managed in the framework of insurance, by modifying the coverage of the insurance policy.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »