Cloud Service Provider – processor, controller or both?
It is generally accepted that CSP shall in relation to the customer acts only as a processor and with respect to the personal data processed pursuant to the contract between the customer as a controller and CSP as the processor. We agree that there is nothing wrong with such a statement but could be subject to the further analysis.
First of all CSP providing its services could be divided at least into several groups based on the extent to which CSP processes personal data and the extent to which CSP exercises control over provided data. Division of CSP based on mentioned approach is dependent on existence of different types of cloud computing services, which necessarily establishes different roles and responsibilities of CSP, particularly in relation to the data security. A provider of Software as a Service (hereinafter referred to as the „SaaS“) usually offers software services intended to process data (personal data included) and has the ability to conduct and exercise control over processed data and also establishes, how that data are processed. On the other hand, a provider of Infrastructure as a Service (hereinafter referred to as the „IaaS“) offers to its customers just virtualised hardware or cloud computing infrastructure, where the customers of such a CSP are free to decide, how the provided infrastructure will be used while the CSP has no knowledge whether the infrastructure is being used to process personal data or not. Platform as a Service (hereinafter referred to as the „PaaS“) could be then seen as a hybrid CSP service. While this division does not affect the assessment of the CSP as a processor, it can significantly affect the extent of the contractual arrangements between the customer (controller) and the CSP, in particular in relation to the obligations and responsibilities of the contracting parties.
Secondly, CSP could be identified as a controller of personal data, while obtaining such a personal data from the customer necessary for the performance of the contract to which the customer is party, since CSP determines the purpose and means of processing of data of the customer. For this reason, CSP would be considered as a controller of mentioned personal data of the customer and will be subject of fulfilling all the provisions required by the personal data protection legislation (fulfilling notifications towards the data subject).
Last but not least, CSP, that is processing personal data of its customers as a controller for its own purposes alone or jointly with its customers or third parties could be identified also as a joint controller, which is enabling new obligations at least to specify respective role of each controller and their relationship towards data subjects. Mentioned approach could be applied on services, where a specific cloud service is built on top of other cloud service, offered by a different CSP. Suitable example would be CSP offering certain type of cloud computing service (IaaS) and also ensuring other type of cloud computing service (SaaS) from the third party to one customer, where both CSPs could act as a controllers or joint controllers to that customer.
As seen, view on processing operations conducted by CSP could be measured and identified differently. On the basis of the stated facts, CSP could be easily considered as a controller of a personal data in relation with its customer (data subject), which have to be reflected into the contractual terms between CSP and its customers. Possibility of identifying status of CSP as a controller and processor at once is quite probable and therefore must be taken into the consideration every time the relation between cloud providers and its new customers are set up.
Article provided by: Miroslav Chlipala & Stefan Pilar, Slovakia
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
CPC project office: Dr. Tobias Höllwarth, email@example.com