COVID-19 Update: Tozers is providing our usual client services while maintaining the safety of our clients and colleagues. Full update here

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Cloud computing and GDPR requirements – transferring data outside the EEA

Posted on 18th February 2020 in Intellectual Property

Posted by

Dan Griffin

Associate and Solicitor
Cloud computing and GDPR requirements – transferring data outside the EEA

Using cloud computing for services such as HR, backup and customer relationship management (CRM) is becoming increasingly common but before selecting a provider it is vital to ensure the service complies with the General Data Protection Regulation 2016 (GDPR). Probably the most significant barrier to compliance and one which should be a deal breaker for anyone purchasing cloud computing if not resolved arises when data is stored outside of the European Economic Area (EEA)

The GDPR imposes restrictions on transfers of personal data outside of the EAA or to countries subject to an adequacy decision by the European Commission which gives those countries equivalent status (currently Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to those participating in the Privacy Shield framework)).

This makes using cloud computing which involves transferring data of outside of those countries illegal unless ‘appropriate safeguards’ set out in the GDPR are in place.

How to comply if the cloud stores data outside of the EEA?

Appropriate safeguards in the cloud computing context requires at minimum a contract between the supplier and customer and/or supplier’s subcontractor containing standard contractual clauses set down by the European Commission.

The purchaser of the cloud service will be the data controller and therefore responsible under the GDPR for the personal data it provides to the cloud provider, wherever that data might end up. Most relatively small cloud providers act as resellers, using subcontractors to fulfil contracts and so the location of the provider is rarely the same as where the data will be stored – this is often the USA but occasionally India, China, Iceland and many others, all outside the EEA.

Standard contractual clauses are likely to be the only means of achieving those appropriate safeguards in the context of a business purchasing cloud computing from a relatively small provider.

These standard contractual clauses must be in place between the cloud storage provider and its sub contractors, not just the customer and the cloud storage provider. This means it is vital to see the provider’s sub contracts before purchasing their services.

Important questions to ask before buying cloud software or storage:

  • Does the provider use its own servers or sub contractors’ servers?
  • In what country are those servers located?
  • Can the cloud provider be certain that data will remain on a server or group of servers in a particular country?
  • If those servers are outside the EEA or a country with a current adequacy decision, what written contract is in place between the cloud provider and subcontractor, and if there is one, does it include the standard contractual clauses?

If you require any advice regarding any matter similar to this, then please do not hesitate to get in touch with our experienced team of Intellectual Property Solicitors in Devon on 01392 207020.

Company & Industry

Related Insights

Insights

Can a lasting power of attorney be witnessed remotely?

Posted on 23rd November 2020 in Later Life Planning

During Lockdown we have seen various changes in the law regarding how Wills can be finalised during the pandemic, including the use of remote witnesses. However, what has been less well publicised are whether there are any equivalent rules for the remote signing of Lasting Powers of Attorneys (LPAs).

Posted by

Naomi Hoare

Solicitor
Insights

Arrangements over the festive period

Posted on 11th November 2020 in Family Law

Every year, we receive an influx of enquiries from parents facing difficulties with arrangements over the festive period. This year, sorting out these arrangements as early as possible is likely to be more important than ever.

Posted by

Aimee Aspinall

Chartered Legal Executive