German company C wants to implement a cloud solution for its HR applications. C has decided to engage P, a relatively small cloud service provider also located in Germany. In order to fulfil its contractual obligations to C, P needs to use several sub-contractors.
Among these are company X, located in France, company Y, located in Switzerland and company Z, located in the United States.
C is the data controller. P is the data processor, and X, Y and Z are sub-processors.
The need for a contract
The use of cloud computing usually involves a multitude of data transfers to various legal entities. Cloud service providers will, in most situations, be processing personal data on behalf of data controllers as processors. Under Article 28 GDPR, this arrangement must be governed by a contract or other legal act under Union or Member State law. This contract must cover a set of highly specific issues (see here for more). Cloud service providers will generally engage sub-contractors to allow for flexible and scalable solutions to the service, and will also need to enter into sub-processing agreements.
While some Member States may find the Article 28 requirements overly prescriptive, in Germany the GDPR brings enhanced flexibility as processor agreements may be concluded electronically. This contrasts with the current position under s11 of BDSG (German Federal Data Protection Act) which requires them to be signed manually.
Appointment of sub-processors
While data processors have direct obligations under the GDPR for the first time, the data controller will, in many cases, remain liable or be jointly liable for non-compliance arising from the processors' actions (or inactions). This means that it needs to have oversight of the appointment of sub-processors. The GDPR only allows the appointment of sub-processors where the controller has given prior written consent. This can be general or specific, and the data controller also has the right to object to the appointment.
Transfers of data outside the EEA
Personal data may only be transferred outside the EEA when the data is adequately protected by one of the recognised mechanisms. Subject to limited exceptions, data transfers can only be made to countries which are the subject of an adequacy decision by the European Commission, or in accordance with the Commission's Standard Contractual Clauses (SCCs), or, in cases of intra-group transfers, under Binding Corporate Rules. Transfers from the EEA and Switzerland, to the USA, may also take place where the US-based business has signed up to the Privacy Shield.
On-site audits and information requirements
The GDPR requires processors to make information available to controllers to demonstrate its compliance with its obligations, and to allow for and contribute to audits and inspections. At the time of writing, it is unclear, whether this has to include on-site audits. From the controller's perspective, this in turn allows the controller to comply with its Article 28(1) obligations to ensure it only uses processors providing sufficient guarantees of appropriate technical and organisational measures, and adequate protection of data subject rights.
Consequences of non-compliance
Non-compliance is subject to the possibility of considerable administrative fines (up to €10m or 2 % of worldwide annual turnover in relation to data processing; and up to €20m or 4% of worldwide annual turnover in relation to international (non-EU) data transfers), so businesses have to make sure to address the legal challenges in connection with cloud computing at the earliest possible stage.
Next steps for C
Enter into appropriate contracts
When C implements the cloud service solution for its HR applications, it will result in the transfer of personal data of C’s employees to P and then on to X, Y and Z. C must enter into a data processing agreement with P and P must do the same on equivalent terms with X, Y and Z. The contracts must cover the Article 28 requirements.
Ensure transfers outside Germany are lawful
Data transfers to P and X are covered by the data processing agreement, because they are located in the EEA. The transfers to Y are also lawful because Switzerland benefits from an adequacy decision. As there is no adequacy decision for the USA, data transfers to Z must take place using appropriate safeguards. This could be where Z has self-certified under the EU-US Privacy Shield. Alternatively, P and Z will need to sign up to SCCs. As there are currently no processor to processor SCCs, flow-down SCCs will need to be used and P will remain fully liable to C in respect of any breach of Z's obligations.
Under German law, however, standard data protection clauses must be entered into directly by the controller and the sub-processor. This could be achieved by giving the processor power of attorney in this matter
Comply with its Article 28(1) obligations
C must conduct due diligence in respect of P's ability to comply with its obligations before appointing P as data processor. Under Article 28(1), there is an ongoing requirement to ensure P's suitability which is likely to take place using an information and audit process. Best practice would be to implement a multi-layered approach with regular (e.g. annual) reports being sent by the processor by default, and on-site audits, possibly conducted by a third party in certain specified situations.
This is all well and good in theory, but the reality of the situation may be quite different. The tech giants are unlikely to agree to site visits or extensive audits as that would compromise their security and be extremely burdensome from an administrative point of view.
C will have to take a calculated risk. It could stay with P who may be prepared to allow on-site visits and respond to audit and information requests. Alternatively, C could re-consider and opt for a more established cloud service provider who may provide reduced oversight but is likely to have better technical capability. Factors to consider will include the sensitivity of the data being transferred, the costs involved, and the results of initial due diligence.