The increasing success of cloud computing services (i.e. the set of technology, software and hardware that enable the rescue of increasing amounts of data and information on the web) prompted the Italian Data Protection Authority to take a position on a phenomenon that has undoubted implications for the privacy of individuals who use it.

The risks associated with the use of this instrument are related, amongst others to (i) increasing the risk of loss of stored data, (ii) the fragmentation of such data, which are often “fragmented” across multiple servers in geographical places located outside of the European Community, and (iii) the impossibility for the supplier of the service to know the exact location of such data.

The Authority has, therefore, identified ten rules that should be applied to those who intend to send their data to the cloud. In particular, and to exemplify only the most relevant, it should (a) verify that the outsourced data is saved in a format that can be easily transferred, (b) ensure that data is always available, (c) select the data to be loaded, excluding those which by their nature must enjoy maximum privacy (personal data or sensitive information relating to trade secrets), and (d) verify the contractual provisions relating to the liability of the service provider in case of loss of data and their illicit dissemination.

Pursuant to the Italian Privacy Code the service provider must be appointed as controller of the data it receives. The data controller should also be updated on the physical location of data storage and forecasts of the rules on the processing of such data from abroad. In fact, all limitations for the transfer of personal data abroad remain applicable (including in respect of intra-group transfers).