A cloud service provider could be joint controllers for processing

A cloud service provider could be joint controllers for processing

A cloud service provider could be considered jointly responsible for the treatment. This has been demonstrated by the Slovenian data protection authority, which launched an ex officio investigation into a cloud service provider, and concluded that it could be considered co-controller.

In this article we analyze the situation carefully and give you all the keys.

What is a cloud service provider and what is its role? 

A cloud service provider is an external company that offers cloud-based platform, infrastructure, application or storage services. 

In addition, these cloud service providers provide companies with a number of advantages. Companies can take advantage of scalability and flexibility (as they are not limited to the physical constraints of local servers), reliability offered by multiple data centers with multiple redundancy, customized configuration of servers according to their preferences, and load balancing functionality that responds quickly to varying demand. However, it is important to also evaluate the security aspects of cloud storage to ensure compliance with applicable regulations.

What is a joint controller for the processing of personal data? 

In order to define what a joint controller is, we must first talk about the figure of the data controller. 

In this sense, according to the General Data Protection Regulation, a data controller is a natural or legal person who carries out the processing of personal data according to the purposes and means he/she has decided upon.

Taking into account this definition, the joint controller for the processing of personal data is the controller who carries out the described activity jointly with another controller, in such a way that they have reached an agreement on the purposes and means used to carry out the processing.

Could a cloud service provider be considered joint controller for the processing of personal data? 

The Slovenian data protection authority initiated an ex officio investigation into a cloud service provider and concluded that it could be considered joint controller for the processing.

In this regard, the Slovenian authority established that the cloud computing business model consisted of handling complex technical details to simplify the processing of and access to its customers’ data and these customers had little or no influence over the technical and organizational measures employed by the cloud service provider. 

As the customers could not ensure compliance with the provisions of the General Data Protection Regulation, the cloud provider acts as the controller party in determining the processes by which data is processed and the hiring of sub-processors.

Thus, as both the cloud provider and its customers determined the purposes of the processing, they exercised joint control and, therefore, must sign a joint controller agreement.

Accordingly, the question arises as to whether the purposes or the means take precedence, and the European Data Protection Board has stated the following: “The non-essential means relate to more practical aspects of the processing itself, such as the choice of a particular type of hardware or software or the decision on the details of security measures, which can be left to the processor”.

Legal implications to be taken into account 

The Spanish Data Protection Agency points out that the application of data protection regulations to cloud computing service offerings must start by identifying the legal position of the provider of such services and the customers with whom it contracts, respectively. 

Therefore, considering the above, if the cloud service provider, instead of being a data processor, is identified as a joint controller, it must take into account another series of data protection issues that will apply to it.