IT infrastructure and services are now regarded as a significant area of systemic risk to be managed via legal and regulatory frameworks. Most countries in the world now have data protection laws to impose obligations on organizations (controllers) which process data, and to give the data subjects (individuals whose data are being processed) specific rights in relation to their personal information.

Where a controller delegates the processing of personal data to another organization (processors), there will also be obligations to ensure that appropriate security is maintained. Data protection regulators (supervisory authorities) and courts may become involved to ensure that data subjects can exercise their rights effectively and to impose sanctions for breaches of the rules by controllers or processors.

The GDPR applies directly in 30 countries (comprising the 27 member states of the European Union and the 3 additional countries that with the EU make up the European Economic Area). The GDPR has a long-arm reach (extraterritorial application) that extends well beyond Europe. It has established a complex regulatory framework that governs transfers of personal data from the EEA to ‘third countries’. It has an impact on the development of data protection laws worldwide.

Personal Data

Personal data under the GDPR refers to any information relating to an identifiable individual. But not all personal data are treated the same. The GDPR considers some so called special categories of personal data as more sensitive and processing such data is subject to stricter rules. The special categories include race, ethnic origin, genetic data, health data, etc.

Anonymization vs Encryption

Not all personal information are elate to an individual. It depends on whether the individual is in fact identifiable.

AnonymizationAnonymisation means that the information no longer relates to you in an identifiable way.
The GDPR would not apply to the processing of such anonymized data as the data is no longer personal.
For example: a company might anonymize a copy of your health records for future research purposes before storing that copy on the servers.
EncryptionEncryption will make data non-accessible to others, but the holder of decryption key may be able to decrypt or unlock the information and identify you. So encrypted personal data is still personal data. The GDPR will apply to the encrypted data.

Household Exemption

Some processing activities are excluded from the application of the GDPR. In particular, the GDPR does not apply to processing of personal data by an individual in the course of a purely personal or household activity with no connection to a professional or commercial activity.

GDPR does not apply whenYou, for a purely personal reason, upload photographs of your friends and family on a social networking service.
GDPR applies whenYou publish the photographs of your friends and family on a social networking service, which could make that data accessible to an indefinite number of people.
This may take your activity out of the purely personal or household sphere.

Even though you are not engaging in a professional or commercial activity, the GDPR may still apply to service provider’s processing of such personal data.

Main Actors

Data subjectIndividuals to whom personal data relates.
ControllersA controller is the individual or company that determines the purposes and means of processing.
ProcessorsA processor is the individual or company that processes personal data on behalf of
the controller by following the controller’s instructions.
Where a processor engages another processor to carry out a specific processing activity
on behalf of the controller, the other processor are called a ‘sub-processor’.
Supervisory authoritiesSupervisory authorities monitor the application of the GDPR to protect data subjects’ rights and ensure consistent application of the GDPR throughout the EU. They may initiate investigations on whether a controller or processor complies with
the GDPR and issue fines for GDPR infringements.

The controller has many more obligations than the processor. The controller is responsible for complying with the data protection principles, the legal grounds for processing and with facilitating data subject rights. Both controllers and processors are responsible for the security of personal data, but only controllers is responsible for responding to the requests to exercise your rights.

Joint Controllers

The concept of joint control refers to two or more controllers who jointly determine the purposes and means of processing. The European Data Protection Board has interpreted that to mean that controllers may have linked or complementary purposes that are sufficiently close to make them joint controllers where they derive some mutual benefit from a specific processing activity. Analyzing who benefits from a processing activity may be important to determine whether the parties are processing the data for the complementary purposes.

The GDPR requires joint controllers to have an arrangement between them, which can be a contract, outlining their respective GDPR roles and responsibilities, particularly for dealing with data subjects’ rights.

Controllers (Customers) vs Processors (Providers)

In practice, cloud customers are acting as controllers, and cloud providers are acting as processors.

One of the controller’s main responsibilities is to use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to meet GDPR requirements. Processing by a processor must be governed by a contract or other legal act which determines the nature and context of the processing and the controller’s rights and obligations.

This contract may have the form of a Data Processing Agreement, drafted unilaterally by the cloud provider (processor), especially when the cloud provider (processor) is a big company with access to greater resources and technical expertise than its customer (controller) has.

As controllers are ultimately accountable for GDPR compliance to supervisory authorities and data subjects, controllers still have responsibility to ensure that the terms of the agreement are compliant with the GDPR. Moreover, cloud providers must assist their customers to

  • Ensure compliance with their security obligations
  • Carry out data protection impact assessments
  • Allow for and contribute to audits

Upon termination of their services and at the request of the customer, cloud providers as processors must delete all personal data.

Sometimes processors also require the collaboration of controllers to fulfill their obligations, and they may be required to inform the controller if any of its instructions infringes the GDPR or other EU data protection law.

The same GDPR obligations included in the contract between the controller and the processor must be replicated in the contract between the processor and any sub-processor used. Sub-processors will have the same GDPR obligations as processors, and processors will be liable to controllers / customers for any GDPR failures by sub-processors.

Data Protection Principles

Lawful ProcessingUnder the GDPR, the controller can process personal data lawfully, only if they have one of the legal grounds mentioned in the Regulation. That could be an individual’s consent or one of the purposes listed in the GDPR when processing is objectively necessary (for example tax purposes).
Fair ProcessingProcessing should be in line with data subjects’ expectations to avoid unexpected consequences.
Transparent ProcessingController need to inform data subjects in a clear and intelligible manner of how and why they are processing their personal data.
Purpose LimitationControllers must process personal data only for the purpose for which the data were collected.
Data MinimizationData minimization means that a controller must process only the minimum amount of personal data needed for a specific purpose and delete unnecessary data.
Storage LimitationPersonal data should not be kept in an identifiable form for longer than necessary for the purposes for which they are processed.

Security Obligation

Under the GDPR, both the controller and the processor must implement appropriate measures to ensure a level of data security appropriate to the risk of processing. That requires an active and continuous risk assessment and management. In cases where processing may result in a high risk for individual rights, the controller must carry out a data protection impact assessment and describe how the security measures implemented address the potential risks.

Under the GDPR, we have a personal data breach, if a security breach leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data. This includes situations of temporary loss of control or access to data, even though the data may exist somewhere.

The processor must notify the controller without undue delay after becoming aware of this personal data breach. The controller must notify the breach to the competent supervisory authority, unless the breach is unlikely to result in a risk to individual rights and freedoms. Controller’s reporting must be done where feasible no later than 72 hours after having become aware of the facts.

The supervisory authority should investigate the extent of the breach and the processes in place to mitigate the damage and/or prevent future breaches. The outcome of the investigation can lead to the supervisory authority imposing fines either on controllers or processors or both if they failed to fulfill their GDPR obligations.

It depends that the controller should notify the data subject. Controllers must notify data subjects without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms.

In cloud computing, where evaluating and mitigating risks may be complex and expensive, customers may have to rely on providers’ additional privacy and security features, even at an extra cost, to demonstrate compliance with their own security obligations.

This is driving a trend towards ‘Compliance-as-a-Service’, whereby customers are becoming increasingly reliant on cloud providers to manage specific data protection compliance obligations.

Individual Rights

Controllers have an obligation to respond to requests from data subjects who wish to exercise various rights, such as:

  • the right of access to personal data
  • the right to have personal data erased
  • the right to data portability

Controllers must inform individuals (data subjects) if they are processing personal data and provide them with some additional information no later than at the time of data collection. If the controllers’ service runs on other providers’ platform or infrastructure, controller should also provide information about this layered service and provide a list of sub-providers used. Controller must have procedures in place to allow Ellen to get confirmation of whether her personal data are being processed and have access to such data. Individuals also have rights to erasure.

Fines and Compensation

Under the GDPR, the competent supervisory authority has the power to investigate and impose fines on both controllers and providers, and data subjects have the right to request compensation for any damage suffered by this GDPR infringement.

In EU, each Member State has its own competent supervisory authority. The European Data Protection Board, which includes representatives of the national regulators, promotes the consistent application of the GDPR across the EU. The GDPR lays out in detail the competencies and tasks of supervisory authorities, as well as the processes by which they must collaborate to ensure a consistent application of the GDPR throughout the EU.

Supervisory authorities also have the power to investigate and audit cloud providers’ compliance, regardless of a data subject’s complaint, and to impose fines for GDPR infringements. These infringements include

  • Failure to comply with obligations relating to the data protection principles
  • Data subjects’ rights
  • International data transfers
  • Non-compliance with an order by a supervisory authority

The fines could be up to โ‚ฌ10 million, or in the case of a business, up to 2% of its total annual worldwide turnover for the preceding financial year, whichever is higher. For various GDPR infringements, however, there is an even higher ceiling of up to โ‚ฌ20 million or four percent of the controller’s or processor’s worldwide annual turnover.

International Data Transfers

The customers of cloud services may be located anywhere, which means international data transfers occur on a vast scale in the context of cloud services. There are two main ways in which the GDPR may apply in a particular case:

  1. A relevant controller or processor is established in one of the 27 EU member states, or in Iceland, Liechtenstein, or Norway that with the EU make up the European Economic Area.
  2. A controller or processor that is outside the EU processes personal data to offer goods or services to, or to monitor the behavior of, individuals who are in the EU.


The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. A two-step test is required to determine whether the processing of personal data falls within the GDPR’s scope.

  1. Does the controller or processor have an establishment in EU?
    • Establishment implies the effective and real exercise of activities through stable arrangement. – GDPR, Recital 22
    • A single sales representative active in a Member State of EU might be enough to constitute an establishment.
  2. Does the processing take place in the context of activities of that establishment?

A controller or processor will be subject to obligations under the GDPR whenever processing of personal data is carried out in the context of the activities of its EU establishment. Moreover, GDPR will apply in such cases regardless of whether the processing takes place in the EU or not. As a result, there are no geographical limits on the potential application of the GDPR in cases where the establishment test is triggered. This may have significant consequences for cloud service providers and their customers.

When does the GDPR apply to non-EU controllers or processors? There are two situations:

  1. where the processing activities are related to the offering of goods or services in the EU
  2. where the processing relates to the monitoring of behaviour that takes place within the EU

Third Country Transfer Restriction

EU data protection law has a general prohibition on transferring personal data to a so-called third country unless certain conditions are met. A third country is any country that is not a member of European Economic Area. The essential rationale behind the third country data transfer restriction is to ensure that when personal data are transferred from the EU to controllers, processors, or other recipients in third countries, the level of protection provided by the GDPR is not undermined. This concern also arises in relation to onward transfers of personal data from a third country recipient to other parties in the same or another third country. However, the restriction may affect the ability of service providers to deliver the full benefits of cloud to their customers in terms of flexibility and efficiency.

The term transfer is not defined in the GDPR. However, the European Data Protection Board has identified three cumulative criteria that it considers will make a processing activity constitute a transfer:

  1. A controller or processor is subject to the GDPR for the relevant processing; AND
  2. This controller or processor acting as the exporter makes personal data available to another controller, joint controller, or processor acting as the importer; AND
  3. The importer is in a third counter or is an international organization.

When customer is in EUA cloud customer established in EU sends data about its employees to a cloud service provider in the US for processing.
In this case, there will be an export of personal data by the EU customer, which is a controller subject to GDPR, to the cloud provider, which is importing the data as a processor in a third country.
When customer is outside EUA Turkish (non-EU) company that is not regulated under the GDPR sends data about its Turkish employees to a EU cloud provider for processing.There will be no restriction on the initial movement of data fromthe Turkish customer to the EU cloud provider. However, because the cloud provider is a processor that is established in the EU, the transfer of data back to the customer in Turkey might be considered a regulated transfer.Unfortunately, the imposition of GDPR transfer restrictions in this type of situation may be a disincentive to the use of EU cloud services by customers outside the EU.
when data movement is completely outside EUAn employee of an EU company travels to Mexico to attend a conference, makes a note on his laptop about meetings that he has with other conference attendees. The note was automatically uploaded to the EU company’s cloud provider, which is in the US.
In this case the employee is processing data in the context of the EU company’s activity as a controller established in EU, and the data are transferred to a cloud provider in a third country, so the movement of data from the employee’s laptop in Mexico to the cloud provider in the US will be regulated as a transfer under GDPR.

What are the options for transferring data to third countries? The GDPR offers several transfer mechanisms (sometimes called transfer instruments or transfer tools) which cloud providers or their customers may be able to use as a basis for transferring personal data outside the EU. The transfer mechanisms fall into three categories:

Adequacy decisionsThe European Commission may decide that a country outside the EU provides an adequate level of protection.
In effect, this means that these countries have been pre-approved as being safe for the processing of the personal data of data subjects in the EU.
Appropriate safeguardsThe GDPR permits a controller or processor to transfer personal data to a country that has not been declared adequate, provided appropriate safeguards are in place.
/ Exemptions
In cases where neither an adequacy decision nor appropriate safeguards are available.

Adequacy Decisions

The Court of Justice of the European Union, or CJEU, found that adequacy means that the third country provides a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by EU law. In the assessment, the European Commission considers a wide range of elements:

  1. The rule of law and respect for human rights and freedoms
  2. Data protection and other relevant legislation
  3. The existence and effectiveness of a data protection authority
  4. The relevant binding international commitments

If the assessment concludes with a positive finding, the European Commission issues a decision confirming the adequate level of protection in the third country, usually referred to as an Adequacy Decision. Adequacy decisions are reviewed periodically. The European Commission also has the power to revoke an adequacy decision at any time after giving the affected jurisdiction notice and an opportunity to respond.

Appropriate Safeguards

In the absence of a adequacy decision, the GDPR permits a controller or processor to transfer data to that country provided appropriate safeguards are in place. Such appropriate safeguards include:

  1. Standard Contractual Clauses (SCCs) that the countries have been pre-approved as being safe for the processing of the personal data of data subjects in the EU.
  2. Binding Corporate Rules (BCRs) that are legally binding and enforceable internal rules and policies within a corporate group which provide a framework for international transfers of data to countries that do not provide an adequate level of protection for personal data.
  3. Approved Codes of Conduct / Approved Certification Mechanisms to be relied on to provide appropriate safeguards. These may in future be useful mechanisms for data transfers between cloud providers and their customers.

SCCs have been used extensively since they were first introduced in 2001. The 2021 SCCs are, in effect, a set of contractual templates that can be adapted to fit a variety of data transfer arrangements involving controllers, processors, and sub-processors of data, whether located inside or outside the EU. The approved SCC package has a modular structure, with sets of clauses for different types of transfer arrangement. The four modules are for

  • controller-to-controller transfers
  • controller-to-processor transfers
  • processor-to-processor transfers and
  • processor-to-controller transfers

All of the modules are potentially relevant for cloud providers and their customers.

In addition to the four sets of standard clauses for different types of transfer structure the SCCs contain three annexes for the contracting parties to complete:

  • Annex 1: description of the parties and the transfers
  • Annex 2: technical and organizational security measures
  • Annex 3: list of sub-processors that are pre-approved

Data exporters have obligations to undertake a risk assessment before transferring data. This is often called a Transfer Impact Assessment to determine whether the use of SCCs will in practice provide a level of protection that is essentially equivalent to that guaranteed in the EU. If there are issues with the level of protection, then the data exporter will need to determine whether so called Supplementary Measures can be applied alongside the Standard Contractual Clauses, so as to maintain the level of protection required. If this is not possible, then the data exporter may need to suspend or end the transfers.


These derogations are in effect exemptions from the general rule that personal data may only be transferred to a third country if an adequate level of protection is provided in that country or if appropriate safeguards are in place. The potential derogations include:
1. Consent
2. Contractual necessity
3. Important reasons of public interest
4. Legal claims
5. Protection of vital interests
6. Compelling legitimate interests

All of the derogations are subject to very restrictive conditions and none is likely to provide a stable basis for routine transfers between cloud providers and their customers.

Regulation of Critical Infrastructure

The EU adopted the Network and Information Security Directive in 2016. It is the first piece of EU legislation specifically aimed at improving the cybersecurity of critical infrastructure, by making sure that appropriate measures are in place to prevent and to respond to disruptive security breaches. There are two main obligations the NIS directive imposes:

  1. Safeguarding obligations require cloud providers to implement appropriate and proportionate security measures.
    • Leaves it up to cloud providers to determine which security measures are appropriate and proportionate.
    • Measures must aim to manage the risks posed to cloud services, and prevent and minimize the impact of any incidents.
    • In practice, this means that cloud providers must engage in a cybersecurity risk management exercise.
    • The NIS Directive’s focus on the risk management process rather than on substantive outcomes carries its own risks.
  2. Notification obligations require cloud providers to notify a regulator in case of a security breach.
    • To trigger this obligation, there must be a breach of security, which also has a substantial impact on the provider’s service.
    • No notification if the breach is without substantial impact.

The NIS Directive covers two types of organization:

Operators of Essential Services (OES)Provide services in one of the seven listed sectors, such as energy, transport, and drinking water, etc.
Operate on such a scale that their service is critical to societal and economic activities.
Digital Service Providers (DSPs)Includes three types of service: online search engines, online marketplaces, and cloud services.

The NIS Directive defines a cloud computing service as:

a digital service that enables access to a scalable and elastic pool of shareable computing resources.

  • “Scalable” means that the resources are flexibly allocated by the cloud provider in order to handle changes in demand.
  • “Elastic pool” refers to computing resources that can be rapidly provisioned and released in order to increase or decrease the resources available depending on workload.
  • “Shareable” refers to multiple users sharing access to the service while the processing is carried out separately for each user using the same underlying physical equipment.

This suggests that not all SaaS services (which are not all scalable) qualify as cloud services under the NIS Directive. So major IaaS providers need to comply with the NIS Directive. In contrast, SaaS providers need to carefully consider whether their service gives customers access to elastic and scalable resources.

The definition doesn’t appear to cover private cloud (which aren’t sharable in most cases). The EU Commission is considering whether to include private cloud in the scope as part of its proposed NIS 2 Directive.


There are three different functions of regulators:

  1. Providing guidance – Regulators can reduce uncertainty by issuing guidelines on how to interpret the safeguarding obligations.
  2. Proactive oversight and reactive enforcement
    • OES – subject to both proactive (ex ante) oversight and reactive (ex post) enforcement.
    • DSPs (including cloud services) – only subject to reactive (ex post) enforcement.

According to the NIS Directive, this difference in regulatory approach reflects the fact that cloud services are less of a risk than OES providers. When a regulator determines that a cloud provider is in breach, then it has the power to impose penalties.


Jurisdiction differs under OES and DSPs:

  • OES – each Member State must identify the relevant operators active within its territory. A single organization, if operates in multiple Member States, can be subject to regulatory oversight by multiple national regulators.
  • DSPs – fall under the jurisdiction of the Member State where they have their main establishment. They will only be supervised by a single regulator in the EU.

My Certificate

For more on GDPR: General Data Protection Regulation, please refer to the wonderful course here

Related Quick Recap

I am Kesler Zhu, thank you for visiting my website. Check out more course reviews at

Don't forget to sign up newsletter, don't miss any chance to learn.

Or share what you've learned with friends!