The most important and general rules on data protection in Austria are set forth in the GDPR and the DSG. However, specific data protection rules, for instance, relating to employment contracts, have additionally been introduced into the relevant sector, business or topic-specific acts.
All data protection rules have in common that they only govern the processing of personal data, which is data by which a natural person can be identified. Since business data always also contains personal data (for example, the names of users or contact persons), the relevant rules are also applicable if such data is stored at a cloud computing provider.
In principle, the GDPR demands personal data to be processed only based on legal grounds. Those can be, for instance, consent or the necessity to process the personal data to fulfil a contract concluded between the natural person (data subject, here the user) and the contracting partner (processor, here the cloud provider). A typical application of a necessity to process would be the processing of the user’s name and address by the cloud provider for the purpose of billing.
Furthermore, the GDPR demands that any personal data shall only be processed for specific purposes. Thus in the example above the cloud provider is not allowed to use the user’s contact data for marketing purposes if it was only collected for the purpose of fulfilling the contract (that is, maintaining an account with credentials, billing and any other use required by the service itself).
This configuration becomes more complex in a typical business-to-business environment, where the user is no longer the data subject, but rather a business that itself processes personal data of its own users, employees and others and is thus itself controller. The cloud provider’s role is then changed to that of the ‘processor’: an entity that no longer processes personal data for its own use but for, and according to the instructions of, a controller. In this configuration the rules regarding the legitimate processing of personal data still apply. Thus the business user (controller) needs to ensure that it cannot just legitimately use, but can also transfer personal data to the cloud provider (processor). Additionally, the controller needs to conclude a written contract with the processor ensuring that it will process the personal data only within the scope of the contract with and instructions of the controller (see article 28 GDPR for further details). Even though the controller and processor are jointly liable according to the GDPR, the main accountability and liability nevertheless rests with the controller.
While contracts requiring cloud providers to generally follow instructions from their users regarding the data stored in their environment would have been quite unthinkable a few years back, such contracts have now become a legal requirement and thus the norm.
Apart from formalities involving written contracts, declarations and similar, the single most fundamental rule of the GDPR is that compliance requires appropriate technical and organisational measures to fulfil the obligations set forth by the GDPR and protect the personal data, where ‘appropriate’ depends on the sensitivity of the personal data involved. As such, healthcare data needs to be better secured against illegitimate access and use than merely some names. With this rule, the GDPR requires cloud providers but also their business users to take proper IT security measures, which never involve only a technical component, but always also an organisational one, at least in the form of raising the awareness of the employees in regard to security, personal data and compliance in general coupled with explaining why the rules are in place and need to be observed. This is, in practice, one of the bigger hurdles - less so for larger businesses, be they cloud users or cloud providers, but rather for small and sometimes even medium businesses. Before the GDPR those businesses shied away from investing the required, and not insubstantial, amounts of time and money to implement proper technical and especially organisational measures and have preferred to implement a minimum or perhaps modicum of technical security measures. With the increase in the DPA’s fines for not implementing appropriate technical and organisational measures, this aspect of the GDPR becomes more important. In this regard, cloud computing providers can actually provide an added benefit for their business users by implementing just those appropriate technical and organisational measures that the user would be lacking if it was still storing the data on its own premises.
This also ties in with the duty of articles 33 and 34 GDPR to report data breaches within 72 hours and also provide certain details required by law. Without a proper IT security system in place, which includes an appropriate organisation, businesses would be hard pressed to meet those requirements.
A final very important rule of the GDPR is the requirement of the controller to ensure that data is only transferred to countries with an adequate level of data protection, consistent with the level provided by the GDPR (see articles 44 and following GDPR). This, of course, adds additional hurdles to the transfer of data to cloud providers or any of their data centres situated outside of the EU or a country with a recognised adequate level of data protection. In practice, this has, on the one hand, led many international cloud providers to store the data of their EU users only within their EU data centres. On the other hand, businesses from the EU are now more than ever looking for and preferring cloud service providers (be they IaaS, PaaS or SaaS-providers) who offer just this added benefit and legal ease of use.
Back to top