When is a Cloud Service Provider GDPR-suitable?

Cloud providers are much more committed to the Data Protection Regulation (GDPR) than before. As of 25 May 2018, the new regulation on the processing of personal data will apply – but what exactly does that mean for us as a cloud user? How do you know if a service or provider meets GDPR requirements? And when does a cloud service actually qualify as a GDPR -compliant?


The values governing the processing of personal data are initially governed by Article 5 (1) of the GDPR; Further regulations can be found, inter alia. in Articles 25 and 32. In what follows, explanations on main demands are, especially in relation to cloud services, can be found.


Data must be processed lawfully and fairly – GDPR Art. 5


The processing of personal data in the cloud is legal only if the data subject has consented or if another legal basis exists. The data processing must take place in a manner that is comprehensible to the person concerned, i.e. the cloud provider must be able to provide clear guarantees as the transparency is now included as a fundamental aspect of these principles.


Confidentiality, integrity and availability – GDPR Art. 5.1 f & Art. 32


The data must be processed in a manner that ensures adequate security of the data, including protection against unlawful processing, loss or damage. Furthermore, the processing must not be expected to breach the dignity of the persons concerned or to restrict their freedoms.


Security and state of the art processing- GDPR Art. 32


During the processing, a sufficiently high security must be guaranteed. The legislator demands that the level of security be constantly improved and always based on the so-called “state of the art” methods.


Privacy by Design and Privacy by Default – GDPR Art. 25


Taking into account the state of art, Data protection must be guaranteed by privacy-friendly technology design (Privacy by Design) and privacy-friendly default settings (Privacy by Default).


Accountability – GDPR Art. 5.2, Art.28, Art 30 & Art.35  


Basically, the controller is responsible for compliance with all mentioned requirements and must be able to prove this in advance (accountability). He must include the processing in the cloud in his directory of processing activities and, if necessary, conduct a risk analysis, a so-called privacy impact assessment. The controller now shares this responsibility with the cloud provider, who in turn also has to provide sufficient guarantees that the requirements of the GDPR are complied with.


Processing – GDPR Art. 28


In cloud computing, the user orders the provider to process the data. In order for the cloud user to be able to live up to his responsibility to the data subjects in this case too, he ensures his agreement with the cloud provider with an order processing agreement that also fulfils the requirements of the GDPR. Part of such an agreement must be that the cloud provider provides all information necessary to demonstrate compliance with the requirements.


Proof by certificates


Of course, for you as a cloud user, it is difficult and almost unacceptable to check compliance with these requirements yourself. It is helpful that cloud providers can use an “approved certification process in accordance with Article 42 to demonstrate compliance with the above requirements. Although no “approved” certificate is yet available, this does not mean that certificates specifically aimed at the requirements of the GDPR cannot already be used as proof of GDPR conformity.


For example, the Trusted Cloud Data Protection Profile (TCDP) was developed with respect to the GDPR. Certifications according to the TCDP should be converted into certificates according to the GDPR standard after the extension of the procedure and standard test. With the research project “AUDITOR” there is also a follow-up project to the TCDP, whose goal is the conception and implementation of an applicable EU-wide data protection certification of cloud services. The first catalog with certification criteria should be completed by the end of April 2018.


So, if you choose a cloud service that is TCDP certified, you’re already on the safe side; From the deadline of May 25, you should additionally ensure that the conversion into a certificate according to the GDPR standard actually takes place or that the service proves compliance with the GDPR with another suitable certificate.