IAPP CIPT – GDPR for Cloud Service Providers (CSPs) Part 2

5. Technical and Organisational measures

Hi, guys. If CFP processors do just one thing, they should review the bombshells contained in Article 26. Under this article, the processor shall not enlist another processor without the prior specific or general written consent of the controller. In effect, this means transitioning to a regime of subcontracting only with consent. There is express acknowledgment in the GDPR that an open consent to subcontract processing can be agreed.

Where general consent is attained, CSP processors should always inform the data controller if there are to be any changes, additions or replacements of these subprocessors, thereby giving the opportunity to the controller to object to such changes. All CSP processors are aware that potential obstacles to subcontracting should ideally be avoided. CSP processors serving thousands will want to reserve flexibility over their operations.

Where CSP processor enlists another processor in order to carry out specific processing activities on behalf of the controller, it must ensure that it passes on the same data protection obligations as set out in the contract between the controller and CSP processor. In particular, these flow down obligations should provide sufficient guarantees around security in such a way that the processing will meet the requirements of the GDPR.

Where the CSP subcontractor failed to fulfill its obligations, CSP processors remain fully liable to the customer for the acts of their subcontractor. Although this is not unusual as a contractual requirement, the practicalities make the mind boggle. The obligation is to pass through the same terms as the underlying contract, not simply substantially similar terms.

Practically, if CSP processors do not contract on an identical form with every customer, they should be passing down the alternative terms agreed with each respective customer to each subcontractor processing their data. This will clearly be possible for smaller one or impossible for large CSP processors with numerous customers and a myriad of subcontractors, not least where back end hosting services are provided by, let’s say, Amazon or Microsoft. Ultimately, some of the contractual risk is likely to be absorbed by CSP processors, ignoring the issues surrounding data transfers outside the European Union, which will continue in a similar vein to provide contractual discomfort.

This particular subcontracting requirement is likely to plague many legal teams. Let’s talk about the impact on cloud contracting. Well processing carried out by CSP processors should be governed by a contract which binds the processor to the controller and sets out the following the subject matter and the duration of the processing the nature and purpose of the processing the type of personal data and categories of data subjects and the obligations and rights of the processor and the controller. The contract must also stipulate that the processor shall process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, ensure confidentiality and take appropriate measures to ensure security. The GDPR is prescriptive about the contents of the contract appointing CSP processors.

The new rule will require taking into account the nature of the processing that data processors assist the controller, insofar as this is possible for the fulfillment of the controller’s obligations to respond to requests for exercising data subjects rights. These new responsibilities are not necessarily revolutionary, as most good processing clauses today already require the cooperation around regulatory or data subject access requests. However, in addition to this responsibility, at the election of the controller, CSP processors must delete or return all the personal data processed within the cloud to the controller at the end of the data processing service contract.

They must also delete existing copies unless applicable. Member state law requires storage of the data breach notification under GDPR, and the need for instant response and instant preparedness training within CSP processors will be elevated. For more details, check out my course on instant response for GDPR away from telecommunications service providers. The European Union has not seen breach notification requirements for CSP processors until now. Sophisticated customers have required breach notification contractually for some time, but CSP processors will now find the GDPR requires the damn to report any data breach to the controller without undue delay after becoming aware of the breach. What amounted to good contractual practice now has also a legal mandate which is really, really good.

6. Subcontracting

Hi guys. The GDPR clarifies the clauses to be contained in a data processing agreement. The new European regulation does not change the concept of data processing but impacts on the nature of the related obligations which must translate it into the firm commitment in the cloud contract. What does GDPR say on data processing agreements? Well, the data process is the person who processes personal data on behalf of the controller. This is how building on the old directive from the 995 GDPR defines a processor in this article four alignate eight well, the new GDPR imposes obligations on processors in order to increase the accountability of those who are usually responsible for manipulating a lot of data on behalf of the controller. Article 28 alinea three of the GDPR lays down new obligations which must be reflected in the data processing agreement.

This relates mainly to the subject matter and duration of the processing of personal data, the nature and purpose of the processing and the obligations of security warning and alert towards the controller. What’s the impact for cloud contracts then? For any cloud contract, infrastructure, service, platform or software as a service? The above mentioned obligations of the GDPR regarding data processing may require the following a close representations containing the representations from the controller to the processor regarding all relevant information on the purpose of the processing of personal data made using the means made available by the cloud provider.

A close instructions describing the instructions given by the client to the cloud provider and how the cloud provider must apply them. A clause security presenting the physical and logical security policy deployed by the cloud provider in addition to the measures applicable in case of unauthorized intrusion. Like the data breach process, this clause should be associated with an appendix dedicated to a security assurance plan. A clause under which the processor agrees to cooperate in the event of data subject wants to exercise his or her rights. Then a clause specifying if, when and how a processor can engage another processor.

A close confidentiality which should guarantee confidentiality not only from the cloud provider’s perspective and all employees, but also from any subcontractors or freelancer hired by the cloud provider to assist in the performance of its obligations. Clauses on the provider’s obligation to inform in general and not only in the event of a data breach and the conditions for conducting audits then the conclusion of standard contractual clauses if the data are transferred outside European Union to country not considered as ensuring an adequate level of protection. If data are transferred to US, a specific framework may apply, for example the US privacy shield and then clarifications on the termination of contractual relationship and the destruction of the data in the cloud without prejudice to the provisions of the contract.

Article 28 of the GDPR allows the processor to adhere to a code of conduct article 40 or through certification mechanisms article 42 to demonstrate that it provides sufficient warranties to meet the requirements of the GDPR article 28 and in A 85 despite those contractual provisions or certification procedures, it happens that the cloud provider manages the data entrusted to it almost autonomously. A cloud provider can hardly be regarded as the controller and the GDPR, but it may be considered a Joint Controller within the meaning of its Article 26. In such situations, a supervisor authority may decide to change that controller processor relationship into a Joint controllers one. The parties would be well advised to proactively consider them as such, and sign a Joint Controller’s agreement reflecting the actual division of liability between them.

7. Detailed impact on cloud contracts

Hi guys. The GDPR clearly sets out the right and obligations of subprocessors and requires them to meet strong contractual requirements. Technical architectures in the Cloud are complex and regularly involve several layers of data processors. When personal data is processed in the Cloud, the GDPR requires a high degree of transparency. Parents engaging a subprocessor. So let’s discuss about information and authorization requirements. Article 28 two and four of the GDPR directly deal with a situation where a processor engages another processor which can be called a subprocessor or even a level two processor. Under the GDPR. The controller must give its prior written authorization when its processor intends to entrust all or part of the tasks assigned to it to a subprocessor. Even after having obtained the controller’s formal authorization, the processor remains fully liable to the controller for the performance of the subprocessors obligations. In case of cascading subcontracting, these obligations will be passed down to the other subprocessors, which will be level three subprocessors, level four and so on. Regarding the clauses you need to include in the contract between the processor and a subprocessor, this contract, and we discussed also this before must at least contain the same data protection obligation as set out in the contract between the processor and the controller.

In practice, this contractual scheme is often referred to as a back to back contract. The contract to be entered into between the processor and its processors must therefore necessarily contain the provisions stipulated in article 28, alien eight three of the GDPR, namely the subject matter and duration of the process of personal data that’s really, really important.

Second, the nature and purpose of the processing again, that’s logical and the obligations of security warning and alert towards the controller for any Cloud contract. Information as a service platform and software as a service. The above mentioned obligations of the GDPR regarding subprocessors may require the following again, a close representations containing representations from a processor to the subprocessor regarding all relevant information. The purpose of the processing of personal data made is decided by the controller and to be carried out using the means made available by the subprocessor. A clause.

Again, instructions describing the instructions given from the processor to the subprocessor and how the letter must apply them. Again, a close security presenting the physical and logical security and how these policies deployed by the subprocessors are helping for the measures applicable in case of some unauthorized intrusion or an instant response or a data breach. This clause should be associated with an appendix dedicated to a security assurance plan. Again, a clause under which the processor and subprocessor agreed to cooperate in the event a data subject wants to exercise one of his or her rights. A close confidentiality which should guarantee confidentiality not only from the subprocessor’s own employees but also from any subcontractors or freelancers hired by the subprocessor to assist in the performance of its obligations.

Clauses on the subprocessor’s obligation to inform in general, and not only in the event of a data breach and the conditions for conducting audits in accordance with Article 28. Eliminate three h of the GDPR and the last, the conclusion of standard contractual clauses, if the data are transferred outside of the European Union to a country not considered as ensuring adequate level of protection. If the data is transferred to US, there is a special framework that may apply the European Union US privacy Shield. Again, you should also have clarifications on the termination of contractual relationships and the destruction of data in the cloud. If yet another processor is engaged, the contract to be concluded between the level two processor and level three processors must also reflect all these requirements. Let’s talk about streamlining the contract process with subprocessors in order to ensure that subprocessor contract remain legible. It is possible to include the GDPR obligations listed above in a dedicated appendix.

But in reality, the only effective way to simplify the contract is to get the certification. Both processors and subprocessors can be certified without prejudice to the provisions of their contract. Article 28 of the GDPR allows them to adhere to a code of conduct article 40, or to a certification mechanism in Article 42, which may be used as an element in order to demonstrate that they provide sufficient, efficient warranties required from all processors regarding of their level. Again, this is in Article 28. Ellen eight five this means that the clauses of their contract need to be as detailed, explained about.

8. Clauses between a processor and a sub-processor

Hi, guys. Let’s discuss about codes of conduct, certifications and compliance. The GDPR allows CSP processors to demonstrate compliance with many of its requirements, including the security and general processor obligations, by either adopting approved codes of conduct. Think of the longweighted Data Protection Code of Conduct for cloud service providers still awaiting sign off from the Article 29 Working Party and or participating in certification or Seal programs that are approved by supervisory authorities, possibly the Trustee Enterprise Privacy Certification or the UK. There is the Privacy seal. These compliance steps will also be useful to controllers evaluating and assessing processing services as a part of the mandated data protection impact assessment.

CSP processors will need to wait to see what code of conduct or certification mechanisms evolve and obtain approval in order to determine whether the adherence could make any sense to them. Certification is certainly worth considering if it allows some form of defense from aggressive Legoratory scrutiny and distinguishes CSPs from their peers. Accommodating the Needs of the Controller The majority obligations under GDPR still face up on the controller, despite that it may well fall to the CSP processors to adapt infrastructure or services to accommodate the service and legal burden of their customers.

Data subjects have enjoyed a right to rectify inaccurate data under the directive, and this will continue. The GDPR now introduces the rights to be forgotten. Under this new right, the data subject shall have the right to require the controller to erase personal data concerning them without undue delay, and the controller shall have the obligation to erase such personal when particular grounds apply. The GDPR also introduces an obligation of data portability that the data subjects shall have the rights to receive their personal data from a controller, for example, so they may move it to an alternative service.

All of these rights are exercisable against the controller, not the processor. However, they may create obligations that the controller requires. The more technically proficient CSP processors to facilitate erasing, altering or moving old data from complex technology infrastructure is no simple thing, not least where, let’s say, distributed storage or computing facilities are deployed. This is really, really hard. Additionally, with the definition of Personal Data extending in scope to unique identifiers such as Mac or IP or universal IDs and other specific IDs, more and more data sets may need tracing in order to meet all of these obligations.

• Category: Uncategorized