Latest insights from our experts
Cloud Computing and GDPR Requirements – Transferring Data Outside the EEA
Using cloud computing for services such as HR, backup and customer relationship management (CRM) is becoming increasingly common but before selecting a provider it is vital to ensure the service complies with the General Data Protection Regulation 2016 (GDPR). Probably the most significant barrier to compliance and one which should be a deal breaker for anyone purchasing cloud computing if not resolved arises when data is stored outside of the European Economic Area (EEA).
The GDPR imposes restrictions on transfers of personal data outside of the EAA or to countries subject to an adequacy decision by the European Commission which gives those countries equivalent status (currently Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to those participating in the Privacy Shield framework)).
This makes using cloud computing which involves transferring data outside of those countries illegal unless ‘appropriate safeguards’ set out in the GDPR are in place.
How to comply if the cloud stores data outside of the EEA?
Appropriate safeguards in the cloud computing context require, at minimum, a contract between the supplier and customer and/or supplier’s subcontractor containing standard contractual clauses set down by the European Commission.
The purchaser of the cloud service will be the data controller and therefore responsible under the GDPR for the personal data it provides to the cloud provider, wherever that data might end up. Most relatively small cloud providers act as resellers, using subcontractors to fulfil contracts and so the location of the provider is rarely the same as where the data will be stored – this is often the USA but occasionally India, China, Iceland and many others, all outside the EEA.
Standard contractual clauses are likely to be the only means of achieving those appropriate safeguards in the context of a business purchasing cloud computing from a relatively small provider.
These standard contractual clauses must be in place between the cloud storage provider and its subcontractors, not just the customer and the cloud storage provider. This means it is vital to see the provider’s subcontracts before purchasing their services.
Important questions to ask before buying cloud software or storage:
- Does the provider use its own servers or subcontractors’ servers?
- In what country are those servers located?
- Can the cloud provider be certain that data will remain on a server or group of servers in a particular country?
- If those servers are outside the EEA or a country with a current adequacy decision, what written contract is in place between the cloud provider and subcontractor, and if there is one, does it include the standard contractual clauses?
If you require any guidance regarding this matter, then please do not hesitate to get in touch with our experienced team of Intellectual property Solicitors in Devon on 01392 207020.