This Opinion analyzes all relevant issues for cloud computing service providers operating in the European Economic Area (EEA) and their clients specifying all applicable principles from the EU Data Protection Directive (95/46/EC) and the Privacy and Electronic Communications Directive 2002/58/EC (as revised by 2009/136/EC) where relevant.
This opinion focuses on the situation, where the relationship is assumed to be a controller-processor relationship, with the customer qualifying as controller and the cloud provider qualifying as processor. In cases where the cloud provider acts as a controller as well, they have to meet additional requirements. As a consequence, a precondition for relying on cloud computing arrangements is for the controller to perform an adequate risk assessment exercise, including the locations of the servers where the data are processed and the consideration of risks and benefits from a data protection perspective, pursuant to the criteria outlined in the paragraphs below.
This Opinion specifies the applicable principles for both controllers and processors from the general data protection directive (95/46/EC), such as purpose specification and limitation, erasure of data and technical and organizational measures. The Opinion provides guidance on the security requirements, both as a structural and a procedural safeguard. Special emphasis is laid on the contractual arrangements that should regulate the relationship between a controller and a processor in this connection.
The classic goals of data security are availability, integrity and confidentiality. However, data protection is not limited to data security and therefore these goals are complemented with the specific data protection goals of transparency, isolation, intervenability and portability to substantiate the individual's right to data protection as enshrined in Article 8 of the EU Charter of Fundamental Rights.