The development of cloud computing can no longer be stopped and offers great efficiency benefits in the field of data management. You also want to enjoy these benefits, but you want to do it responsibly. This article provides guidance on your way to the cloud.
During a first exploration of the road to the cloud you will be confronted with questions such as:
- Where is my data physical?
- Who can access my data?
- How do you check that?
- How do you ensure that your cloud service provider processes your data in accordance with your requirements?
How do you get your data back when the contract is terminated?
There is a perception that cloud computing would be unsafe. This is unjustified. Although it is true that you give a piece of control, the risks are manageable and, moreover, manageable. In order to be able to assess the risks properly, it is important to provide insight into these through a risk analysis. Then it is important to manage the risks. Clear agreements ensure that you and your cloud provider know exactly what they can expect from each other.
The following topics are covered in this article:
- What is cloud computing?
- Which rules apply to this?
- For whom are these rules important?
- What conditions must I at least meet?
1. What is cloud computing?
Many definitions of cloud computing circulate, but for this article cloud computing is defined as an on-demand service model for the delivery of IT services, often based on virtualization techniques and distributed computing environments.
Cloud technology can be used to make your own IT scalable and more elastic. The technology used, however, also makes it possible to purchase IT services (eg storage, applications, e-mail) in a standardized format and on-demand from specialized service providers. This involves using a shared technical infrastructure. Thanks to the internet techniques used, your data and applications can actually be and come from anywhere in the world.
2. Applicable regulations
The General Privacy Directive * is seen as the basic text on privacy and data protection within the European Union. This Directive requires Member States to ensure the protection of the rights and freedoms of natural persons with regard to the processing of personal data by establishing guiding principles for determining the lawfulness of such processing. The Netherlands complies with this obligation with the Personal Data Protection Act (Wbp).
3. For whom are the rules important?
The rules are important for every company or institution that processes (parts of) the business via the cloud. From healthcare institutions to financial institutions, from educational institutions to producers.
4. The fantastic 4 (the obligations arising from the Wbp)
4.1 Written agreement (Article 14 Wbp)
You are obliged to conclude a written agreement with the cloud provider regarding the protection of personal data. The Wbp makes demands on the form and content of the agreements you make with the cloud provider.
4.2 Processing on commission (Articles 12 and 14 of the Wbp)
The cloud provider may only process the personal data collected by you in your express order. In addition, personal data may only be processed to the extent that this is necessary to provide the cloud services. The cloud provider is therefore not allowed to use personal data for their own purposes, such as directly approaching your customers for direct marketing purposes.
4.3 Processing in accordance with the Wbp
The cloud provider must process the personal data in accordance with the Wbp. However, you are often (co-) liable for violations by the cloud provider. If compliance with the Wbp is included as a contractual obligation, it is easier to appeal to the cloud provider for breaches and, if desired, terminate the cloud contract and demand compensation.
4.4. Group companies and subcontractors (Articles 12, 13 and 14 Wbp)
In processing personal data, the cloud provider may only engage group companies and subcontractors with whom they have concluded a written agreement containing confidentiality and security obligations. In addition, they must also carry out their activities and services in accordance with the Wbp.
4.5 Describe security measures
The cloud provider is obliged to adequately secure the personal data. This concerns both security against data loss and protection of access to personal data by unauthorized persons.
A cloud provider’s general obligation to adequately secure personal data in the cloud agreement is not sufficient. The security measures regarding the personal data collected by you must be explicitly described in the cloud contract. Security measures can include passwords, firewalls, encryption of data and a description of the security policy used.
4.6 Checking security (Article 14 Wbp)
The cloud provider must enable you to ensure that he meets his obligation of adequate security. An objection from the cloud provider against an audit to be carried out by you is not acceptable.
4.7. Inform about security incidents
The cloud provider must immediately inform the customer about security incidents and their possible impact on the processing of personal data. In case of a security incident (for example a data breach) you want to be able to assess what the consequences are and what measures can be taken to limit these consequences (for example informing customers).
4.8. No third party access (Articles 8, 9, 12, 13 and 14 Wbp)
Without your consent, the cloud provider may not give third parties access to the personal data. The cloud provider (and those who act under his authority, such as personnel) is in principle obliged to keep personal data confidential. There are exceptions, such as in the case of legitimate requests for access by competent authorities.
4.9. Do not store personal data longer than necessary (Article 10 Wbp)
The cloud provider may not store the personal data longer than necessary to provide the cloud services to you. You must act as the controller and ensure that the cloud provider does not retain personal data for longer than is strictly necessary. A provision that regulates that the cloud provider destroys the data after termination of the agreement can provide for this.
4.10 Data again from the cloud (Article 10 Wbp)
The cloud provider must ensure that you can also retrieve the personal data provided by you from the cloud at the end of the agreement. The personal data must then be removed directly from the cloud provider’s systems.
4.11. Processing only within the European Union or countries with an adequate level of protection (Article 76 of the Wbp)
The cloud provider may only process the personal data in the European Union or a country with an appropriate level of protection. All countries of the European Union have a high level of privacy protection. In addition, the European Commission has designated a number of countries that offer an adequate level of protection (the so-called ‘white list’). America is not one of them in pricipe. For US companies with safe-harbor certification, they do have an adequate level of protection.
4.12 Obligations in case of investigation authorities
If the cloud provider is requested by an authority to provide personal information about your company, then he must:
- inform you immediately
- enable you to defend his rights
- to give every assistance to keep access as limited as possible
With cloud computing, not all personal data will be processed more at your business location. You must also be informed by the cloud provider about any requests from authorities, so that you can respond adequately.
4.13. Contributing to requests for inspection (Articles 35 and 36 of the Wbp)
The cloud provider must cooperate with requests from data subjects (such as customers) to view and correct their personal data. The data subjects have the right to access and correct their personal data. The cloud provider must co-operate with such a request that usually comes to you.
4.14. Bankruptcy cloud provider
It is necessary to make good arrangements in case the cloud provider threatens to go bankrupt. You will have to be able to transfer the management of your data to another cloud provider in the face of a bankruptcy of the cloud provider.
* Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
This article is not legal advice.