Lexicon > Could computing

IT Lexicon

Cloud computing

Cloud computing refers to a method of processing data over the Internet in the form of services provided by a service provider.

The use of cloud computing offers advantages such as reduced upfront and management costs and the partial or complete outsourcing of software applications, information and communication technology infrastructure and data storage, including personal data.

It also increases the level of protection of the processed information.

However, cloud computing also presents risks, particularly in that organizations have less control over how their data is handled and the use of the internet necessarily adds an additional element of risk.

As a result, organizations must implement technical and organizational security measures specific to their use of cloud computing to ensure an equivalent level of security, including encryption of data where necessary.

In order to maintain some control over your data, it is therefore important to:

  • Select a cloud service provider that provides sufficient assurances regarding the technical and organizational security measures it can implement to help the organization comply with and ensure personal data protection rights;
  • Enter into a legally binding contract under the terms of the GDPR, and in particular provide that the cloud service provider, then acting as a subcontractor of the organization concerned, must not process the data without prior instruction from the organization, which is in principle the sole controller ;
  • Ensure and actively monitor the implementation of warranties and other required contractual provisions.

In any case, the organization should only use the services of a cloud provider if the provider properly meets the requirements for GDPR compliance.

It is therefore necessary to carefully monitor the compliance of any data transfers made by this cloud provider, which may have several data hosting locations outside the European Union.

There are three main services offered in cloud computing: SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).

GDRP Point

Any processing of personal data that takes place in the course of the activities of an establishment of a controller or processor on the territory of the Union should be carried out in accordance with this Regulation, whether or not the processing itself takes place in the Union.

Recital 22 of the GDPR

Point of jurisprudence

The European Court of Justice  (ECJ) was able to declare that ” As regards the rules on the security and protection of data stored by providers of electronic communications services, it should be noted that Article 15(1) of Directive 2002/58 does not allow Member States to derogate from Article 4(1) and Article 4(1a) thereof. These latter provisions require that such providers take appropriate technical and organizational measures to ensure effective protection of stored data against the risks of misuse and unlawful access. In view of the amount of data stored, the sensitive nature of such data and the risk of unlawful access to it, electronic communications service providers must, in order to ensure the full integrity and confidentiality of such data, guarantee a particularly high level of protection and security through appropriate technical and organizational measures. In particular, the national regulations must provide for the conservation on the territory of the Union as well as the irretrievable destruction of the data at the end of the conservation period “.

ECJ, December 21, 2016, No. C-203/15 and C-698/15

The Bouchara Law firm assists you in particular in :

  • The drafting and negotiation of your cloud computing contracts;
  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct ;
  • Training and awareness of your employees.

We are also Data Protection Officer for many external data processors and subcontractors.