30 November 2017

It is hard to find anyone not using cloud services these days, but you might not think about the issues arising due to the storage of data in the cloud. If you want to choose the proper cloud service provider and avoid the huge fines of the European General Data Protection Regulation (GDPR), read this article, in which we gathered the key legal considerations before jumping into a cloud contract.

Who’s who in the cloud?

Based on GDPR the main addressee of data protection is the data controller, who in general responsible for compliance with the base principles of data protection, since he defines the objectives and means of data processing.

In addition, the natural persons concerned by the data processing can enforce their quite broadly defined rights set forth in the GDPR towards the data controller, so the latter is liable for respecting the data subjects’ rights and the effective enforcement of those rights

It is clear, that your company, as data controller, is responsible for the data of your employees, clients stored in-house, so you have to make the necessary internal measures to protect those personal data (e.g. protecting documents with passwords etc.).

At the same time, the question arises, whether your situation is the same, if you store the personal data of your employees and clients in the cloud. Does it change your legal status? Can you outsource your data protection obligations as data controller?

The answer is clear: no change.

Even if you outsource some activity to an external service provider (eg. Data storage) and you contract a cloud provider, the latter will act as data processor, while you will preserve your data controller status.

The data subjects can still enforce their rights based on the GDPR towards your company.

The situation of the cloud provider

Regarding the obligations and responsibility of the cloud provider towards your company, the provisions of the contract between you and the cloud provider will govern this relation.

In vast majority of cases this means the general terms & conditions of the cloud provider, published on its webpage with small letters, that you accepted by a simple mouse-click without really reading the text. This is the reality among the SMEs, where a truly negotiated cloud contract is as rare as hen’s teeth.

In other words, you as a data controller, are fully responsible for data processing towards the employee, client on the basis of law (GDPR), which obligation could be secured with a back-to-back contract concluded with your cloud provider.

However, you can not have any impact on the content of thet cloud contract, because the cloud provider is a big mammoth company, working with standard terms & conditions, and when you enter into the cloud contract, there is no bargaining, you take it or leave it.

Exclusions and limitations in cloud contracts

Not surprisingly, the general terms & conditions of the cloud provider is full of exclusions and limitation regarding the provider’s liability.

If you would take trouble over reading carefully the general terms and conditions, you would face that the cloud provider excludes its liability practically for everything: for the interruption of service, for the partial or total loss of data, for the destruction of data, for the non-availability of the service, etc.

Furthermore, cloud providers often exclude responsibility for accidental or consequential damage occurred as a result of data loss (e.g. lost profit, etc.), and if after all above mentioned exclusions, they would be still legally liable, they limit the indemnification for pecuniary and non-pecuniary damage to a quite low amount.

Lack of transparency, data transfer

It is a further risk if you use cloud service, that you cannot see who and where processes the data stored in cloud.

If you are not in the IT business, your company will likely use a so-called SaaS (Software as a Service) cloud service (e.g. Dropbox is a SaaS provider). A SaaS provider itself often use further cloud services, e.g. Dropbox uses Amazon Web Services as IaaS provider (Infrastructure as a Service).

In the above case you do not know on which server is your data stored. For example, if your data is stored on a server which is located outside the EU, it can amount to a data transfer to a third-country, which might infringe the GDPR, if the country does not provide a similar data protection level as the GDPR.


There are more solutions in order to mitigate the above risks, and by applying them together, you can decrease your exposure to a fine imposed for non-compliance with the GDPR:

1. It is worth to choose a cloud provider, who, as a data processor, guarantees at least that, it will support you as data controller to comply with your obligations towards data subjcets based on the GDPR.

2. In many cases, you can reach more favorable contract terms at cloud providers, if instead contracting with them directly, you conclude a contract through an integrator, who gathers more clients with similar needs and can reach better terms.

3. It is worth to choose a cloud provider who guarantees that he stores the data on servers located within the European Union and who undertakes not to transfer the data to third countries.

4. Within statutory limits, you can limit your responsibility for data breaches in the contracts you sign with employees, clients.

5. Last, but not least, the risks that cannot be addressed by one of the methods above, can be managed in the framework of insurance, by modifying the coverage of the insurance policy.