COVID-19 Update: Tozers is providing our usual client services while maintaining the safety of our clients and colleagues. Full update here

Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Cloud computing and GDPR requirements – transferring data outside the EEA

Posted on 18th February 2020 in Intellectual Property

Posted by

Dan Griffin

Associate and Solicitor
Cloud computing and GDPR requirements – transferring data outside the EEA

Using cloud computing for services such as HR, backup and customer relationship management (CRM) is becoming increasingly common but before selecting a provider it is vital to ensure the service complies with the General Data Protection Regulation 2016 (GDPR). Probably the most significant barrier to compliance and one which should be a deal breaker for anyone purchasing cloud computing if not resolved arises when data is stored outside of the European Economic Area (EEA)

The GDPR imposes restrictions on transfers of personal data outside of the EAA or to countries subject to an adequacy decision by the European Commission which gives those countries equivalent status (currently Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to those participating in the Privacy Shield framework)).

This makes using cloud computing which involves transferring data of outside of those countries illegal unless ‘appropriate safeguards’ set out in the GDPR are in place.

How to comply if the cloud stores data outside of the EEA?

Appropriate safeguards in the cloud computing context requires at minimum a contract between the supplier and customer and/or supplier’s subcontractor containing standard contractual clauses set down by the European Commission.

The purchaser of the cloud service will be the data controller and therefore responsible under the GDPR for the personal data it provides to the cloud provider, wherever that data might end up. Most relatively small cloud providers act as resellers, using subcontractors to fulfil contracts and so the location of the provider is rarely the same as where the data will be stored – this is often the USA but occasionally India, China, Iceland and many others, all outside the EEA.

Standard contractual clauses are likely to be the only means of achieving those appropriate safeguards in the context of a business purchasing cloud computing from a relatively small provider.

These standard contractual clauses must be in place between the cloud storage provider and its sub contractors, not just the customer and the cloud storage provider. This means it is vital to see the provider’s sub contracts before purchasing their services.

Important questions to ask before buying cloud software or storage:

  • Does the provider use its own servers or sub contractors’ servers?
  • In what country are those servers located?
  • Can the cloud provider be certain that data will remain on a server or group of servers in a particular country?
  • If those servers are outside the EEA or a country with a current adequacy decision, what written contract is in place between the cloud provider and subcontractor, and if there is one, does it include the standard contractual clauses?

If you require any advice regarding any matter similar to this, then please do not hesitate to get in touch with our experienced team of Intellectual Property Solicitors in Devon on 01392 207020.

Company & Industry

Related Insights

Insights

Don’t fall foul of Inheritance Tax investigations

Posted on 22nd September 2020 in Later Life Planning

A recent Freedom of Information request, published by The Telegraph has shown the confusion over complex Inheritance Tax provisions. The number of estates being investigated by the Revenue is at a four-year high, with numerous families having to suffer scrutiny.

Posted by

Rachael Morley

Associate and Solicitor
Insights

Changes to lasting power of attorneys on the horizon?

Posted on 21st September 2020 in Later Life Planning

It is only in the early stages, but the Ministry of Justice (MOJ), together with the Office of the Public Guardian (OPG), has been seeking input from practitioners and other interested bodies as part of a new initiative to modernise the process of making a lasting power of attorney (LPA) in England and Wales.

Posted by

Naomi Hoare

Solicitor