An increasing number of Serbian companies is beginning to understand the benefits of storing company data on a cloud and thus turning to purchasing cloud computing services.

The advantages of such services are multiple. They include allowing companies to back up their data and store it, but also to save storage space on their own IT infrastructure without the need to upgrade it – the IT company providing the cloud service already possesses the necessary IT infrastructure. This always means that data are eventually stored on a server belonging to the IT company or its partner companies and the customer can access the data whenever it needs to, usually via a username and password interface or other authorization method provided by the IT company.

However, there are only a few local companies providing cloud computing services on the Serbian market, leading the users of these services (usually large corporations) to turn to foreign cloud service providers. This entails entering into a cloud service agreement which is usually pre-prepared by the foreign cloud provider company, leaving no, or very little room for negotiating conditions of such agreement. This is also known as the “click-wrap” method, in which the customer accepts the terms and conditions offered by the IT company by clicking the little box in the end of the agreement. On the other hand, it would be hard to imagine that the customer company is the one drafting the cloud service agreement given the specific, technical nature of these services. Besides a standard cloud providing agreement, the IT company usually has its own service level agreement, acceptable use policy, and privacy policy which the customer also has to accept.

Accepting the standard terms and conditions of the cloud agreement leaves the customer in predicament of complying with often unfavorable conditions, including accepting a foreign jurisdiction as the applicable one, not knowing whether the IT company shall, indeed, have the access to stored data, how safe the data really are, and very limited liability of the IT company regarding the data loss. Cloud agreements are, therefore, always inclined towards the benefits of the IT company and the customer basically has to take it or leave it.

Another issue that may arise if stored data contains personal data is compliance with the Serbian Personal Data Protection Act when it comes to cross border transfer of such data. Utilizing a cloud service provided by a foreign IT company usually means that data shall be transferred outside of Republic of Serbia. This is not an issue if the country in which data will be stored is a party to the Council of Europe Convention for Protection of Individuals with Regard to Automatic Processing of Personal Data. If this is not the case, the Serbian Commissioner for Personal Data Protections must grant the approval for such cross-border transfer. The Personal Data Protection Act views the customer company as the data controller which needs to adhere to obligations prescribed by the Act, even though data are processed by a foreign cloud provider company. However, the customer company may never know where the data will end up – it can be quite difficult to determine their location since data could flow between different data centers. IT companies are well-known to use sub-contracting companies and their servers located in completely different countries.

As mentioned, although the company wanting to purchase cloud services has no choice in negotiating the terms of such relationship, it has the choice to choose between different cloud providers, because there are differences in what those providers offer. First is the issue of data integrity – the provider needs to ensure a good data encryption and protection against viruses and, if possible, hacker attacks. The provider also needs to be transparent when it comes to location of the data and whether it shall use sub-contracting companies, which need to provide the same level of protection as the contracting IT company. Last but not least, the customer company also has to bear in mind the terms of preserving data after termination of the agreement and choose those providers which preserve data for a flexible period of time and are cooperative regarding data migration or deletion, depending on the customer’s needs.