CloudWATCH2: Legal recommendations on EU cloud computing services

Cloud computing technologies and services have evolved as fast as they have spread amongst client organisations. However, contracts regulating the provision of cloud computing services have not evolved at the same pace. The contracts are often offered by cloud providers in a standard and non-negotiable form, which may make it difficult for clients, whether they are private companies or public authorities, and which typically cover the role of data controllers under EU law, to discharge their duties towards data subjects and local or supranational Data Protection Authorities.

This document provides some basic guidelines to cloud clients when entering a cloud computing contract. A series of recurrent contractual issues have been identified and addressed in a short and comprehensive way from the data protection law standpoint. References to other checklists and standards tackling issues critical for cloud services are also provided when relevant. In developing the document, the provisions of Regulation (EU) 2016/679 (“GDPR” or simply “Regulation”), which entered into force on 5 May 2016 and will start applying from 2018, were taken into account and incorporated, where relevant, in the text of the document.