Cloud computing—data protection
Cloud computing—data protection

The following TMT practice note provides comprehensive and up to date legal information covering:

  • Cloud computing—data protection
  • Cloud computing and the GDPR regimes
  • Guidance from supervisory bodies
  • Contract or other legal act
  • Meaning of processing and personal data under the GDPR regimes
  • Controllers and processors
  • General obligations on customers (as controllers)
  • Specific obligations on customers (as controllers) under Article 28
  • Details of the processing
  • Acting on the customer’s documented instructions
  • More...

This Practice Note on data protection and business-to-business cloud computing, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) solutions, provides guidance on:

  1. cloud computing and data protection law

  2. general obligations on customers (as controllers)

  3. specific obligations on customers (as controllers)

  4. international personal data transfers

  5. obligations on suppliers (as processors)

  6. sub-processing

  7. standard processing clauses, approved codes of conduct and certification schemes

  8. sanctions and enforcement

  9. considerations for cloud customers

  10. considerations for cloud suppliers

  11. negotiating cloud contracts

  12. other information laws

  13. overseas data protection laws

  14. conflict of laws and the US CLOUD Act

This Practice Note primarily addresses UK data protection laws.

On 31 January 2020, the UK ceased to be a member of the EU and EEA. Given the extensive data flows between the EEA and UK, equivalent EEA data protection laws will remain of particular interest to UK practitioners. In relation to the subject matter of this Practice Note, there is great similarity between:

  1.  the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) (applicable under UK laws until the end of the Brexit implementation period at 11 pm UK time on 31 December 2020 and remaining applicable in the EEA thereafter), and

  2.  the Retained General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) (applicable under UK laws from the end of the Brexit implementation period and largely based

Popular documents