- General Data Protection Regulation (GDPR) poses new challenges for cloud providers
- Data processing contracts need to be adapted to GDPR
- Exclude sanctions and civil claims
On 25 May 2018, the new European General Data Protection Regulation (GDPR) will enter into force, and will regulate the handling of personal data in cloud infrastructure. “The legal requirements for contract data processing in the cloud is changing with the new European regulation,” says lawyer Jens Eckhardt, Board Member for Legal & Compliance EuroCloud Deutschland_eco e. V. “Cloud providers should review current contracts with their clients as soon as possible in order to adjust them by May 2018, if necessary, so that unlawful use can be avoided. The GDPR does not include any exceptions for legacy contracts, which means that existing contracts must also comply with the GDPR requirements.”
Liability privileges only apply until May 2018
The necessity for a contract review remains highly relevant for cloud providers, especially because liability claims and sanctions can be invoked from May 2018 onwards. “The GDPR does not protect contract data processors in the event of damage to the same extent as the liability privileges in section 11 of the [German] Federal Data Protection Act,” says Eckhardt. Moreover, he recommends that cloud providers do not overly rely on the possibility that sanctions and fines might not affect them. Theoretically speaking, the GDPR allows for 20 million Euros or 4 percent of a company’s total global revenues generated in the previous year as maximum fines. For this reason, cloud providers should include so-called exemption regulations in the new service agreements, which exempt them from any economic liability.
Another reason to close legal gaps in the service agreements and services is that civil claims can be brought against cloud providers from May 2018 onwards. If the design of services and contracts demonstrates inadequate levels of data protection, then customers may make liability claims for defects or even cancel their order of Infrastructure as a Service (IaaS) or Software as a Servicer (SaaS).
Check contracts now for legal certainty
Eckhardt recommends cloud providers proactively approach their customers in order to implement the new requirements into new joint contracts. “In most cases, it is sufficient to agree on other (or alternative) contractual texts. A modification to the service solely because of the GDPR will rarely be necessary,” says Eckhardt.
Eckhardt suggests reviewing contract adaption processes (on an individual basis. Even if contracts do not contain any adjustment clauses, he advises clients and cloud providers to cooperatively collaborate, so that no client faces the risk of illegally using a cloud service.
-
Peter Koller peter.koller@eco.de