Date: November 21, 2016
Modified November 14, 2023
Written by: Valerie Lipman
Reading time: +/- 2 minutes
A buyer of cloud services is made aware through multiple channels of the risks of 'just' handing over data. Much less can be found about the privacy obligations for the cloud provider. Unjustified.
Whether it's transferring a payroll or managing customer data for an online store, in many cases the data transferred to the cloud consists of personal data. This is data that can be traced back to an individual, such as email addresses, but also passwords and IP addresses. The cloud provider processes this data on behalf of its customer. This includes all kinds of operations, such as collection, organization, storage, forwarding, modification or other use. Because the customer determines the purpose for which the data are processed, he is considered "responsible" by the WBP. The cloud provider that processes the data is the "processor. In the first instance, it is the responsible party that must comply with all kinds of obligations under the WBP. If these are violated, the supervisory authority, the Dutch Data Protection Authority, can impose fines on the controller.
Indirectly, however, the obligations of the controller also entail obligations for the cloud provider. Indeed, as soon as a controller outsources the processing of personal data to a processor, it must ensure that the processor complies with certain obligations. These obligations must be laid down in a so-called processor agreement.
This agreement establishes obligations of the processor regarding the processing, protection and security of personal data. The processor must keep the data confidential and provide adequate technical and organizational security of the personal data. It also establishes that the processor may only process the data on behalf of the controller. For the cloud provider, it is important to formulate the processor agreement carefully. After all, if the obligations laid down herein are violated, this constitutes breach of contract and you may be held liable by the responsible party, your customer.
In today's digital environment, existing regulations are no longer adequate. For this reason, the European Commission proposed a European regulation in 2012. This regulation is expected to enter into force around 2016. The draft regulation further tightens the obligations of controllers and processors. This applies, for example, to ensuring adequate security, imposing secrecy on staff and acting only on the instructions of and in accordance with instructions from the controller. The obligations of the processor and the instructions of the controller must be laid down in a document and the processing must be well documented. The draft regulation also requires the processor to immediately report data breaches to the controller. Thus, carefully recording the obligations and instructions remains an important point of attention even under the draft regulation.
More importantly, however, these obligations under the draft regulation are also imposed directly on the processor. The regulator can directly address the processor for violating its obligations. Failure to comply with the obligations will be subject to high fines equal to those that can be imposed on data controllers. These fines can range from 0.5% to as much as 2% of annual worldwide turnover!
As attorneys for business owners , we understand the importance of staying ahead. Together with us, you will have all the opportunities and risks in sight. Feel free to contact us and get personalized information about our services.