Companies that use cloud computing services in Europe need to keep in mind that they are viewed as "data controllers," and the cloud computing services as "data processors." As such, under the EU Data Privacy Directive, those using cloud computing services must ensure that the service is adequately safeguarding any personally identifiable information the company puts in the cloud. We recently reported on recommendations in this regard made by the French data protection authority (CNIL). The data protection authorities (ULD) in the German state of Schleswig-Holstein has now issued similar recommendations, based upon guidance from the EU Article 29 working party. As part of the recommendation, the ULD states, inter alia, (1) that people whose information might be placed in the cloud be told what entity (or entities) operate the cloud computing services, (2) that the cloud client and the cloud computing service have an agreement in place to ensure that the service follows the client's instructions about protecting personal information, (3) that the service give the client sufficient information so that the client can conduct a risk analysis, and (4) if the cloud computing service is located outside of Europe, that the client take appropriate steps to make sure the international transfer is legal. These steps might include ensuring that the service participates in the US-EU Safe Harbor, for example, or executing a model contract with the service. More information about what to include in the agreement, and background about the ULD's position, is included in this English-language factsheet from the ULD.
TIP: Companies that are subject to EU law, and in particular German laws, will find the guidance on cloud computing helpful if they are contemplating using what is becoming an increasingly popular service.