Article 28(9) of the GDPR on processors requires that “the contract or the other legal act referred to in paragraphs 3 [where processing is carried out by a processor] and 4 [where a processor engages another processor] shall be in writing, including in electronic form.” Article 26 of the GDPR on joint controllers is less explicit, but as it requires that the essence of the arrangement entered into between joint controllers be made available to data subjects, this means that a written document is required ad probationem (i.e. in order to prove the document).
Therefore, a written contract should now be systematically drafted for most IT contracts. The written form requirement goes hand in hand with another GDPR requirement: transparency. (1)
This flies in the face of a certain culture of opacity maintained by the first cloud offers in the mid-2000s. Under the cloud model prevailing at that time, (2) customers bought a service with given performance, regardless of the technical architecture of this service: only the result counted (3)
Article 12 of the GDPR signaled the end of the era of opacity as it sets in stone the concept of transparent information, communications and the modalities for the exercise of the rights of the data subject. And above all, Article 12 has as a corollary Article 28 on processors.
Article 28(3) requires that the data processing relationship between the processor and the controller be governed by a contract that must stipulate a range of specific substantive provisions. As such, this contract is a nominate contract. (4)
For any cloud contract (IaaS, PaaS, SaaS), the above-mentioned obligations of the GDPR regarding data processing may require the following:
- a clause “Representations” containing representations from the controller to the processor regarding all relevant information on the purpose of the processing of personal data carried out using the means made available by the cloud provider;
- a clause “Instructions” describing the instructions given by the client to the cloud provider and how the cloud provider must apply them;
- a clause “Security” presenting the physical and logical security policy deployed by the cloud provider, in addition to the measures applicable in case of unauthorized intrusion (data breach process); this clause should be associated with an appendix dedicated to a security assurance plan;
- a clause under which the processor agrees to cooperate in the event a data subject wants to exercise his or her rights;
- a clause specifying if, when and how a processor can engage another processor. This is where the requirements for a written and transparent document represents a sea change as cascading contracts must be consistent with each other (“back to back”);
- a clause “Confidentiality”, which should guarantee confidentiality not only from the cloud provider’s own employees, but also from any subcontractors or freelancers hired by the cloud provider to assist in the performance of its obligations;
- clauses on the provider’s obligation to inform (in general, and not only in the event of data breach) and the conditions for conducting audits under aforementioned Article28;
- the location of the data in or outside the European Union; if the data are transferred outside the European Union to a country not considered as ensuring an adequate level of protection it will be necessary to rely on standard contractual clauses (5) (if data are transferred to the United States, a specific framework may apply: the EU-U.S. Privacy Shield (6);
- clarifications on the termination of contractual relationships and the destruction of data in the cloud.
This enhanced transparency is intended to strengthen the confidence of the parties, and hence to increase legal certainty. In terms of IT contracts, the requirements introduced by the GDPR go against a strong trend towards pre-formulated standard contracts (7). In contrast, adapting a clause to the specific categories of data and processing operations carried out implies negotiations; a purely cosmetic “standard” clause could be regarded as a violation of the GDPR.
However, the GDPR does not regulate everything and the difficulties existing in any contracting process are still there. The most typical examples are issues relating to the intensity of obligations and the limitation of liability (8). A review of the personal data clause seems like an opportunity to reorganize the relationship between the parties. Despite clear clauses, which have sometimes been obtained after hard-fought negotiations, a service provider (processor) will be tempted to seek to impose full responsibility on the client (controller) and, conversely, the client will try to seek to extend the liability cap of its service provider.
Regarding the intensity of obligations (and in other words the burden of proof) the GDPR provides no answer: this is a question of contractual freedom. (9)
Regarding the allocation of liability, Article 82(2) of the GDPR is clear: “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”
However, it is only towards the data subjects and the supervisory authorities that the parties cannot go against the provisions of Article 82(2). Between them, the parties remain free to allocate the risk as they see fit. Consequently, there is no reason to renegotiate the liability cap already agreed upon simply because of the signature of a GDPR amendment.
In conclusion, writing or re-writing a cloud contract does not guarantee full compliance with the GDPR: a global compliance approach is needed.
Article provided by: Eric Le Quellenec, Head of the IT Advisory Department, Alain Bensoussan – Lexing (France), Member of the Paris Council Bar
- Even after a DPIA, cloud services as common as Microsoft’s Office 365 will still be shadowy. See the analysis conducted by the Dutch Ministry of Justice: https://www.rijksoverheid.nl/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office.
- Now officially translated and defined in French as “informatique en nuage:” Article 10 of the Act No. 2018-133.
- See Report “La réalité du cloud dans les grandesentreprises,” Cigref, 9 October 2015, https://www.cigref.fr/rapport-cigref-la-realite-du-cloud-dans-les-grandes-entreprises.[In French]
- Article 1105 of the French Civil Code.
- The European Commission’s standard contractual clauses are available with the appropriate notice on the CNIL website: https://www.cnil.fr/fr/les-clauses-contractuelles-types-de-la-commision-europeenne.
- Data transfer scheme allowing cross-border flows with self-certified American companies, pursuant to Adequacy Decision No. 2016/1250 of 12 July 2016. For more information, see: https://www.privacyshield.gov/welcome.
- “Contrat d’adhésion” within the meaning of Article 1171 of the French Civil Code.
- Post Cloud contracts, GDPR and liability caps,Eric Le Quellenec, May 2018, available at: https://eurocloud.org/news/article/cloud-contracts-gdpr-and-liability-caps/
- In any case, the formation, the causes of nullity of contracts and the general regime of contract law are exclusively a matter of Member State law.
Eric Le Quellenec is a lawyer in Paris (France) and a member of the Paris Council Bar. A specialist in new technologies, information technology and communications law, Eric Le Quellenec is the Head of the IT Advisory department, where he also provides litigation services. He has a solid experience in GDPR, and he is currently leading the compliance programme of world’s leading automotive and agribusiness groups. He is the exiting Vice-President of the Young Lawyers Association of Paris (Union des Jeunes Avocats de Paris – UJA), and previously chaired the new technologies and prospective commission of the French federation of young lawyers associations (Fédération des Unions des Jeunes Avocats de France - FNUJA). He has been appointed expert for the business and IT commissions of the French Bar Association (CNB). He holds a Master 2 in business law (DJCE) and studied at the University of Ottawa (Canada).