News
Cloud Service Provider – processor, controller or both?
Cloud service providers (hereinafter referred to as the „CSP“) offer nowadays a wide spectrum of cloud computing services. Benefits of services provided by CSP include flexibility, efficiency, cost savings, or security and could be chosen to fulfil full variety of customer’s requirements. One of such a requirement could be processing of personal data.
It is generally accepted that CSP shall in relation to the customer acts only as a processor and with respect to the personal data processed pursuant to the contract between the customer as a controller and CSP as the processor. We agree that there is nothing wrong with such a statement but could be subject to the further analysis.
First of all CSP providing its services could be divided at least into several groups based on the extent to which CSP processes personal data and the extent to which CSP exercises control over provided data. Division of CSP based on mentioned approach is dependent on existence of different types of cloud computing services, which necessarily establishes different roles and responsibilities of CSP, particularly in relation to the data security. A provider of Software as a Service (hereinafter referred to as the „SaaS“) usually offers software services intended to process data (personal data included) and has the ability to conduct and exercise control over processed data and also establishes, how that data are processed. On the other hand, a provider of Infrastructure as a Service (hereinafter referred to as the „IaaS“) offers to its customers just virtualised hardware or cloud computing infrastructure, where the customers of such a CSP are free to decide, how the provided infrastructure will be used while the CSP has no knowledge whether the infrastructure is being used to process personal data or not. Platform as a Service (hereinafter referred to as the „PaaS“) could be then seen as a hybrid CSP service. While this division does not affect the assessment of the CSP as a processor, it can significantly affect the extent of the contractual arrangements between the customer (controller) and the CSP, in particular in relation to the obligations and responsibilities of the contracting parties.
Secondly, CSP could be identified as a controller of personal data, while obtaining such a personal data from the customer necessary for the performance of the contract to which the customer is party, since CSP determines the purpose and means of processing of data of the customer. For this reason, CSP would be considered as a controller of mentioned personal data of the customer and will be subject of fulfilling all the provisions required by the personal data protection legislation (fulfilling notifications towards the data subject).
Last but not least, CSP, that is processing personal data of its customers as a controller for its own purposes alone or jointly with its customers or third parties could be identified also as a joint controller, which is enabling new obligations at least to specify respective role of each controller and their relationship towards data subjects. Mentioned approach could be applied on services, where a specific cloud service is built on top of other cloud service, offered by a different CSP. Suitable example would be CSP offering certain type of cloud computing service (IaaS) and also ensuring other type of cloud computing service (SaaS) from the third party to one customer, where both CSPs could act as a controllers or joint controllers to that customer.
As seen, view on processing operations conducted by CSP could be measured and identified differently. On the basis of the stated facts, CSP could be easily considered as a controller of a personal data in relation with its customer (data subject), which have to be reflected into the contractual terms between CSP and its customers. Possibility of identifying status of CSP as a controller and processor at once is quite probable and therefore must be taken into the consideration every time the relation between cloud providers and its new customers are set up.
Article provided by: Miroslav Chlipala & Stefan Pilar, Slovakia
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at
News Archiv
- Alle zeigen
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010