The Schleswig-Holstein data protection authority (“ULD”) has published a series of recommendations on how to provide and use cloud computing services in a way that is compliant with German and European data protection laws. The recommendations are based on the Article 29 Working Party (the “Working Party”) Opinion on cloud computing (see our client alert), which analysed the applicable European data protection laws and provided guidelines to both cloud providers and clients. The ULD stated that from a data protection perspective, the processing of personal data in relation to cloud computing posed two specific risks: (1) the lack of control over the data for the cloud client because of the number of data processors (and sub-processors), and the transfer of personal data to countries outside the EEA; and (2) the lack of information provided as to where, how and by whom the data is being processed in the cloud.
The ULD echoed the guidance of the Working Party, stating that the cloud client is the data controller and the cloud provider is the data processor, and this will be the case regardless of the size of the business. The ULD does not accept the imbalance of power between an SME (small or medium enterprise) and a large-scale international cloud provider as a justification to accept clauses or terms that do not comply with data protection law. Furthermore, the ULD states that the relationship should be governed by a contract that complies with the applicable data protection law and sets forth the duty of the cloud provider to inform the client about all sub-processors and all locations where data may be stored or processed.
The ULD comments that data may be transferred outside the EEA only if legal requirements such as the standard contractual clauses or binding corporate rules are in place. Also, the ULD reiterates the Working Party’s comment that a cloud client should not rely on a statement from the provider that it has self-certified compliance with the Safe Harbor framework principles, but should obtain evidence that all data protection principles are complied with.