The Czech Personal Data Protection Authority (PDPA) has been rather unique among EU data protection regulators in consistently stating that server providers are not considered data processors according to the Czech Data Protection Act (provided that they do not provide to the client services other than provision of storage space). The PDPA’s position has been very comfortable for server providers and their clients, as it has put less administrative burden on them, especially considering the strict rules for transfers of personal data outside the EU.
In July 2012 the Article 29 Data Protection Working Party (Working Party), an independent advisory body consisting of representatives of national and EU data protection regulators and of the European Commission, issued its opinion on cloud computing, where it clearly stated that server providers were undoubtedly in the position of being data processors. Although the Working Party’s opinions are not binding, they are generally respected by national regulators. It is therefore expected that under the pressure of the Working Party’s opinion the PDPA will soon unify its position with the rest of the EU.
Such a step will significantly change the obligations of Czech companies using third party server providers (including virtual storage based on cloud computing), as well as the obligations of Czech server providers.
The following points summarize some of the most important issues to be borne in mind:
- Czech companies will need to review their agreements with server providers and possibly amend them so they fulfill requirements of the Czech law for data processing agreements;
- If the data processing performed by clients of server providers is registered with the PDPA, companies acting as data controllers will need to review their registrations and determine whether certain entries need to be updated, such as categories of recipients of personal data or expected transfers of personal data outside the Czech Republic;
- If the server provider and/or the server is located outside the European Economic Area (EEA), Czech companies using such servers will have to observe special rules for transfers of personal data outside the EEA;
- Server providers will form a new level in the chain of data processors, so if their services are used by data processors (rather than directly by data controllers) consent of data controllers with such chaining will be required; and
- As server providers will be newly considered data processors, they will have to observe obligations under the Czech Data Protection Act and the PDPA will be able to impose sanctions on them if they breach such obligations.