If you decide to employ an external cloud service provider (the provider), for example, in order to upload and store documents, photos, videos, and other files on a remote server (a “cloud service”), your relationship with the provider could be one of joint controllership, a controller-processor relationship or both. In order to engage with the provider in accordance with data protection law, it is important to check what your relationship with the provider is for each processing operation or group of operations you intend to carry out with their involvement, because different obligations and liabilities follow from the existence of each relationship.

When it is clear that you are the “data controller” in respect of certain processing operations, the provider will be processing the data on your behalf as a “data processor”. You are then obliged to ensure that the provider you have engaged provides sufficient guarantees to implement appropriate technical and organisational measures and that the data processor will only process the data in accordance with your instructions, and with Article 28 (3) of the General Data Protection Regulation (GDPR). You must enter into a written legally binding agreement, setting out the details of the respective roles, responsibilities and obligations. If the "cloud" provider is storing your data outside of the European Economic Area, you must take additional steps to ensure that the data remains protected. It is therefore important that you establish precisely where and how the data you provide to a cloud provider will be handled.

If, on the other hand, the relationship is one of joint controllership, each of you will bear the responsibility of a data controller under data protection law, and you are obliged to set out your respective responsibilities for compliance with the obligations under data protection laws. 

For more information, read our guidance on Five Steps to Secure Cloud-based Environments. You can also read our guidance for Organisations Engaging Cloud Service Providers.