Slovenia’s DPA Finds Cloud Computing Provider a (Joint) Controller of Personal Data

Slovenia’s Information Commissioner (IC) ordered a cloud computing provider (a public administration body) to enter into written arrangements with its clients, in accordance with the provisions of Article 26 of GDPR. In its view, the fact that the clients (controllers) had little or no influence on the technical measures for processing personal data means that the cloud provider should be considered a joint controller.

Since the IC’s decision was published in an anonymised form, not all the facts about the case are available. However, from what has been published, it seems that the provider’s solution is a typical cloud-based software application or system. Namely, according to the IC, the system simplifies technical aspects for the clients so they can focus on the contents of the data, which is (one of the) typical cloud-computing feature(s).

In a poorly reasoned decision, the IC cited the following CJEU cases: Google Spain, Jehovan todistajat, Wirtschaftsakademie Schleswig-Holstein GmbH, and Fashion ID GmbH & Co. KG, as well as the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR and the WP29 Opinion 05/2012 on Cloud Computing but failed to demonstrate the fact that the provider determines, together with its clients, the purposes of the processing of personal data.

Instead, the IC took a questionable standpoint that the inability of the clients to impact the technical specifications of the solution in question and to impact the measures and procedures for the protection of personal data, as well as the fact that they had no say in the choice of sub-processors, should be mitigated by declaring the cloud-computing provider a joint controller of personal data. In the IC’s view, the provider and its client(s) follow the inter-connected or complementary purposes of fast and efficient execution of inquiries by clients as well as transmission of personal data by data sources, without being burdened by the technical specifics of individual data sources.

Whereas cases in which the cloud-computing providers are deeply involved in determining not just the means, but also the purposes of processing personal data, do and will exist, in the case at hand, the IC failed to truly demonstrate the cloud provider’s determining the purposes of the processing. The decision is therefore highly questionable.

There is no doubt that cloud-computing providers should act responsibly and should meet the highest expectations when it comes to personal data security. However, declaring them joint controllers even when it is clear they have no interest in the personal data being processed in their cloud or even have no knowledge of the data being processed, seems like a step too far.


Article provided by INPLP member: Matija Jamnik (JK Group, Slovenia)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)