Legal Service for education organisations
The CloudWATCH2 Legal Service is for education organisations that are already planning to use a cloud service and need to understand the legal aspects.
Understanding legal terms within a cloud service contract is extremely important, particularly regarding obligations for both you as a cloud service customer and your service provider.
Our legal experts from ICT Legal are here to guide you through the most common and important terms.
This online guide is free of charge to facilitate you in adopting a cloud service. It is designed to be relatively easy and quick to use.
How to use the guide
Below you find Frequently Asked Questions (FAQs) on legal terms in cloud service contracts.
After the FAQs, you will find a short online form. Please use this form to tell us: 1) Which FAQs are the most useful for the cloud service of your choice? and 2) Which aspects of a cloud service and related contract do you find most challenging or difficult to understand?
By completing this information, we can provide further guidance and other services to help overcome these difficulties.
According to the standard allocation of responsibilities, the controller of personal data processed in the cloud belongs to the customer, whereas the cloud service provider is usually the data processor. This means that, whatever the imbalance in size between the customer and the cloud service provider, the former is a data controller, and as such must accept responsibility for abiding by data protection legislation, responsible for and subject to all the legal duties relevant to data controllers in Directive 95/46/EC. A certain degree of autonomy can be left to the cloud provider in the choice of methods and the technical or organisational measures to be used to achieve the purposes of the controller. It should also be considered that data processors often avail themselves of subcontractors/subprocessors in the provision of cloud services.
The “data controller” is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be processed. The “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Privacy Level Agreements (PLAs) are intended to be used as an appendix to Cloud Services Agreements to describe the level of privacy protection that the cloud service provider will maintain. In the PLAs, the cloud service provider defines the level of privacy and protection it affords to personal data hosted in the cloud. A useful tip is to use the PLAs of different cloud service providers as a guide to compare the privacy policies and make an informed choice of provider.
The location of the data and the potential transfer to a different location are of the utmost importance when choosing a provider, especially because the provision of cloud services very often means that personal data is processed in servers and infrastructures located outside the European Union. It is unavoidable, in this case, that personal data is transferred outside the EU. Utmost attention must be paid to the rules governing the flow of personal data from the European legal space to the outer world.
In principle, Directive 95/46/EC prohibits the transfer of personal data to third countries that do not ensure an adequate level of protection for personal data. According to Article 25 (6) «the Commission may find (…) that a third country ensures an adequate level of protection (…), by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations (with the Commission), for the protection of the private lives and basic freedoms and rights of individuals». As a way to derogate to the rule reported above, personal data may be transferred to countries not offering an adequate level of protection if one of the conditions listed by article 26 (1) is fulfilled. Amongst these conditions one is particularly recommended for its legal soundness and stability, i.e. that the data controller (data exporter) and the cloud provider (data importer) sign the standard model clauses approved by the European Commission.
Providers may outsource part of the processing necessary for the functioning of the cloud to sub-contractors. These sub-contractors may receive personal data from the client of cloud services, and may be located outside the EU. They can lawfully process personal data flowing from the EU only when one of the conditions mentioned in the above question has been met and when they are contractually bound by the data importer to offer an adequate level of safeguards according to EU law. In Opinion 5/2012, the European DPAs recommended processors/ providers to inform the client about the sub-processing in place, detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and that these entities guarantee to the provider of cloud computing services to comply with Directive 95/46/EC.
Service Level Agreements constitute a very important component of a Cloud computing contract. SLAs identify the services and the service level objectives that the cloud provider offers to the cloud customer.
SLAs may define the performance of the services (e.g. the availability of the service, the response time etc.), the security (e.g. service reliability, authentication and authorisation, security incident reporting and management etc.), the way data is managed (data classification, data lifecycle etc.) and sometimes also relevant provisions concerning the protection of personal data. As a tip, customers should verify whether the cloud service agreement provides for remedies to service levels breaches or if it sets out service credits for SLA breaches (such as money back rebates or monetary compensation).
Termination of cloud computing contracts is a critical phase which should be considered already during the assessment phase. Termination initiates a process in which the client must be able to retrieve the data transferred to the cloud, within a specified period of time, before the provider irreversibly deletes them. A good cloud service agreement should contain provisions regulating the data retrieval time i.e. the time in which clients can retrieve a copy of their data from the cloud service. The data retention period should also be included, as well as the procedures followed by the provider in order to transfer personal data back to the client or to allow the latter to migrate to another provider.