Blog » CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
CLOUD WITHOUT STORM? – 5 DATA PROTECTION TIPS TO CLOUD USERS
30 November 2017
It is hard to find anyone not using cloud services these days, but you might not think about the issues arising due to the storage of data in the cloud. If you want to choose the proper cloud service provider and avoid the huge fines of the European General Data Protection Regulation (GDPR), read this article, in which we gathered the key legal considerations before jumping into a cloud contract.
Who’s who in the cloud?
Based on GDPR the main addressee of data protection is the data controller, who in general responsible for compliance with the base principles of data protection, since he defines the objectives and means of data processing.
In addition, the natural persons concerned by the data processing can enforce their quite broadly defined rights set forth in the GDPR towards the data controller, so the latter is liable for respecting the data subjects’ rights and the effective enforcement of those rights
It is clear, that your company, as data controller, is responsible for the data of your employees, clients stored in-house, so you have to make the necessary internal measures to protect those personal data (e.g. protecting documents with passwords etc.).
At the same time, the question arises, whether your situation is the same, if you store the personal data of your employees and clients in the cloud. Does it change your legal status? Can you outsource your data protection obligations as data controller?
The answer is clear: no change.
Even if you outsource some activity to an external service provider (eg. Data storage) and you contract a cloud provider, the latter will act as data processor, while you will preserve your data controller status.
The data subjects can still enforce their rights based on the GDPR towards your company.
The situation of the cloud provider
Regarding the obligations and responsibility of the cloud provider towards your company, the provisions of the contract between you and the cloud provider will govern this relation.
In vast majority of cases this means the general terms & conditions of the cloud provider, published on its webpage with small letters, that you accepted by a simple mouse-click without really reading the text. This is the reality among the SMEs, where a truly negotiated cloud contract is as rare as hen’s teeth.
In other words, you as a data controller, are fully responsible for data processing towards the employee, client on the basis of law (GDPR), which obligation could be secured with a back-to-back contract concluded with your cloud provider.
However, you can not have any impact on the content of thet cloud contract, because the cloud provider is a big mammoth company, working with standard terms & conditions, and when you enter into the cloud contract, there is no bargaining, you take it or leave it.
Exclusions and limitations in cloud contracts
Not surprisingly, the general terms & conditions of the cloud provider is full of exclusions and limitation regarding the provider’s liability.
If you would take trouble over reading carefully the general terms and conditions, you would face that the cloud provider excludes its liability practically for everything: for the interruption of service, for the partial or total loss of data, for the destruction of data, for the non-availability of the service, etc.
Furthermore, cloud providers often exclude responsibility for accidental or consequential damage occurred as a result of data loss (e.g. lost profit, etc.), and if after all above mentioned exclusions, they would be still legally liable, they limit the indemnification for pecuniary and non-pecuniary damage to a quite low amount.
Lack of transparency, data transfer
It is a further risk if you use cloud service, that you cannot see who and where processes the data stored in cloud.
If you are not in the IT business, your company will likely use a so-called SaaS (Software as a Service) cloud service (e.g. Dropbox is a SaaS provider). A SaaS provider itself often use further cloud services, e.g. Dropbox uses Amazon Web Services as IaaS provider (Infrastructure as a Service).
In the above case you do not know on which server is your data stored. For example, if your data is stored on a server which is located outside the EU, it can amount to a data transfer to a third-country, which might infringe the GDPR, if the country does not provide a similar data protection level as the GDPR.
There are more solutions in order to mitigate the above risks, and by applying them together, you can decrease your exposure to a fine imposed for non-compliance with the GDPR:
1. It is worth to choose a cloud provider, who, as a data processor, guarantees at least that, it will support you as data controller to comply with your obligations towards data subjcets based on the GDPR.
2. In many cases, you can reach more favorable contract terms at cloud providers, if instead contracting with them directly, you conclude a contract through an integrator, who gathers more clients with similar needs and can reach better terms.
3. It is worth to choose a cloud provider who guarantees that he stores the data on servers located within the European Union and who undertakes not to transfer the data to third countries.
4. Within statutory limits, you can limit your responsibility for data breaches in the contracts you sign with employees, clients.
5. Last, but not least, the risks that cannot be addressed by one of the methods above, can be managed in the framework of insurance, by modifying the coverage of the insurance policy.
CAN THE IMMEDIATE TERMINATION OF EMPLOYMENT REFERRING TO PRIOR WARNINGS BE VALID?
In its recent judgment, the Hungarian Supreme Court addressed the question whether the immediate termination is lawful if it refers to several minor infringements of the employee already sanctioned by the employer prior to the termination. In our short article we analyse the decision of the Supreme Court and the relevant judicial practice.Read more »
MOSAIC APPROACH AND RESTRICTIVE INTERPRETATON OF LICENSE IN IP INFRINGEMENT CASES
The Hungarian Supreme Court recently ruled in the case of our Client, a BAFTA award-winning composer, who sued a French company in Hungary, because of the illegal use of his music, in video games distributed on online platforms. Besides the issue of jurisdiction of Hungarian courts on foreign defendants in international copyright infringements, the other question of the case was whether the original licence granted by our Client, covers these different modes of exploitation. In this article we analyse the judgement of the Supreme Court.Read more »
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »