Key issues to clarify with the PaaS provider from data protection perspective when storing employee data in an HR database created with a PaaS service
The number of businesses entrusting important data management to cloud services is increasing day-after-day. However, the strict European data protection law gives a hard time to many businesses who wish to enjoy the benefits of the cloud services, but want to comply with the relevant law at the same time with respect to personal data. Despite the hopes and expectations on behalf of the cloud computing industry, the new General Data Protection Regulation (GDPR) shall not provide any easement to the industry. For the moment it is still the implemented Data Protection Directive 95/46/EC (DPD) that has to be followed until 25th May 2018. By that time businesses have to be ready.
- Is the client EEA-based? Is the PaaS provider EEA-based?
Complications resulted by the over protective data protection rules applicable in the EEA-zone can be avoided if none of the parties is established in EEA and the data centre used by the PaaS is located outside of EEA as well. Nevertheless, scenario of the Lindqvist v Kammaraklagaren (2003) (C-101/01) case shows how crooked the situation can be when it comes to the question of personal data export.
- Who is the IaaS provider for the PaaS provider? Is there any geographical zone restriction applied to location of data centres used by the PaaS provider?
In case, the client and the PaaS provider is EEA-based, it could be helpful to restrict the geolocation of the data centre at use within the EEA-zone in order to have free data movement. Furthermore, is there a prior notification obligation on behalf of the PaaS and IaaS with sufficient notice period in case the location of the used data centre is changed? At this point we can see how far is the legislation from the industrial reality of cloud computing services. Geo-location of EEA personal data should not be an issue when equivalent and proper protection is provided outside the EEA-zone (e.g. encryption, back-up). Besides, the fragmentation of stored data between several locations makes nearly impossible to extract any specific data in a legible manner at a given site wherever it is.
- Is there any sensitive personal data?
HR database typically includes personal data1, although it is important to know, whether the given employee data include any kind of sensitive personal data as well (e.g. sick leaves, illnesses). The nature of the given data defines the necessary level of security to be applied when controlling and processing such data.
- Is there any explicit data protection related clause in the employment contract?
If the client handles sensitive personal data and it is obtained and controlled in a legally sound manner (i.e. explicit consent of the employee, necessary to comply with employment law), maybe the employment contract already includes an explicit consent of the data subject regarding transfer of its personal data (including sensitive ones) to third parties and/or third countries (non-EEA member states). Recently there is a tendency to include such data protection related clauses in the employment contract that enables the employers to transfer even sensitive personal data without any additional consent of the employee. Nevertheless, similar clauses applied by some firms to potential employees’ CVs during recruitment.
- Is there any encryption applied on the employee data in the cloud?
Even though, the encrypted personal data will remain to be regarded as personal and identifiable data, the extra security measure is important when transferring/providing data to a third party for processing. PaaS provider is regarded under DPD as data processor2 despite the fact that it only provided a storage-, compute- and development environment for the client in order to perform the data processing3.
- Is it possible to impose certain contractual obligations by the customer on the PaaS provider in order to ensure the adequate protection under DPD?
Since the PaaS is provided under contractual terms, there might be a room to include model clauses approved by the European Commission for transferring and processing of personal data (depending on the negotiation power of the given business). The customer as data controller may prescribe the implementation of appropriate technical and organisational measures to protect personal data for the PaaS provider as data processor2. This is where the service level should be defined together with any service credit, plus any liability of the provider and indemnification of the customer for data protection breach.
- What will happen to personal data following the termination of the cloud service?
Last but not least comes one of the most important questions. In order to avoid the lock-in with an underperforming or non-compliant cloud service provider it is crucial to review in details the exit options and the definition of any support undertaken by the cloud service provider. In most of the standard contractual terms the termination by the customer is very limited. This issue is elemental for any kind of cloud computing service irrespectively of the type of stored data. Through the time a valuable database shall accumulate in the cloud storage in a well organised manner. Therefore, the customer has to clarify in advance with the cloud service provider what kind of post-termination assistance will it have with respect to moving this data to the customer’s assets or to another provider. Is there any option to define the file format of the extracted data and is it possible to save the organisation of that data during the relocation?
* * *
1 Article 2 (a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter: DPD)
2 Cloud Computing law edited by Christopher Millard, page. 177.
3 DPD Article 2 (b)