Personal data protection and cloud computing
Cloud computing, i.e. data processing in cloud computing, has recently become one of the most popular IT services for business. Its main advantages are, above all, cost reduction and easy access to data, possible from anywhere in the world and at any time, as long as you have access to the Internet and a computer, of course. Many companies, in order to maintain their position on the market, focus on technological progress and decide to use more and more innovative solutions, among which cloud computing certainly belongs. However, is cloud computing legal? What does the protection of personal data look like?
Cloud computing - what is it?
Cloud computing, in the simplest terms, is a data processing model that consists in remotely providing the user with services or resources necessary to process information. By using the cloud, you do not purchase a medium on which you can store data, or a computer program that would use the data (so there is no need to buy a license for a given program, install it, or purchase appropriate equipment). As part of the cloud, the user receives infrastructure or software that can be used - so this is done on the basis of offering a service. These services are provided on a given server to which the user has access. Therefore, the entire burden of servicing the server rests with the provider of the cloud computing service. The user does not have to worry about such matters as updating the software, buying new hardware, because the old one no longer supports the program, etc. The only thing that is required from the user is to log in to the server from any computer with Internet access.
There are three types of clouds: private, public, and hybrid. Private clouds are most often created for large companies or organizations - they are the safest (but also the most expensive, because they require the largest financial outlays), because they are the property of these organizations and are made available only within them. Public clouds are the most popular and common - they belong to external, generally available providers (eg Google). The functioning of a hybrid is based on the combination of public and private clouds (some applications or infrastructure are made available on the public cloud, some on the private one).
Each cloud can operate under a different model. The most popular cloud models include:
IaaS (Infrastructure as a Service) - the service offers access to specific IT infrastructure (hardware, software, servicing). It consists in the fact that the user buys access to a specific disk space or to a certain number of servers.
SaaS (Software as a Service) - as part of the service, the user receives specific functionalities, software or work tools that run on the provider's server, so there is no need to purchase a license for them.
PaaS (Platform as a Service) - as part of the service, the user receives access to the entire, full platform, which consists of an integrated interface and a set of applications.
Cloud computing and personal data processing
Cloud computing is data processing, so personal data may be processed in each of the models presented. Entrepreneurs use clouds for various purposes: they often process customer data or HR documentation there. Is such use of cloud computing legal? Is it safe for personal data?
The processing of personal data in the cloud is lawful, provided that the relevant provisions on the protection of personal data are complied with (there are no separate legal regulations directly related to the issue of cloud computing).
It should be borne in mind that the processing of personal data in the cloud may be associated with a number of dangers. Often, entities offering cloud computing services use external infrastructure, shared by several service providers, or use subcontractors due to the complexity of processes taking place in the cloud. As a result, the entrepreneur who places personal data in the cloud does not have control over this data, even though he is their controller. It is not possible for it to determine whether the other entities mentioned above have access to this data. It is also not able to determine to whom the cloud computing service provider can share this data, e.g. on the basis of legal provisions. It is possible that the entrepreneur will not be bound by Polish law, because - which is another risk - the entrepreneur does not always know where the data will be processed (i.e. where the cloud infrastructure is located).
As can be seen from the above, the entrepreneur, even if he cares about the high level of security of the personal data being processed, is not sure whether the level of security of the data shared in the cloud will be the same. And such knowledge is required of him by the Act on the Protection of Personal Data.
Cloud computing and the Personal Data Protection Act
Pursuant to Art. 52 of the Personal Data Protection Act:
Art. 52. Whoever by administering data violates, even unintentionally, the obligation to protect them against removal by an unauthorized person, damage or destruction, shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to one year.
It should be remembered that the Chief Inspector for Personal Data Protection (GIODO) has the right to carry out an inspection in order to check whether a given entrepreneur, while processing personal data in the cloud, ensures a high level of protection of this data. If this level is not high enough and there is a risk that the data will fall into the wrong hands, it may impose a severe penalty on the entrepreneur (Art. 52 of the Act).
So what can an entrepreneur do to use cloud computing services legally? How to ensure an appropriate level of security for personal data stored in the cloud?
Choosing the right type of cloud
The entrepreneur should first of all choose the appropriate type of cloud on which he wants to process personal data. As already mentioned, a private cloud is the safest (because if it is created within your own enterprise, it manages it, so there is no question of unauthorized access to it by third parties), but it requires the greatest financial outlays.
Public cloud is the cheapest, but it carries the highest risk to use because it is managed by a third party. In order to legally process data on such a cloud, the entrepreneur should conclude appropriate contracts for entrusting the processing of personal data with this provider.
Agreements for entrusting the processing of personal data
If the entrepreneur knows that he will place personal data in the cloud, he should conclude a contract for entrusting the processing of personal data with the provider of the cloud computing service. Such an agreement should specify the scope of the transfer and management of personal data. In addition, the contract should specify the place of processing these data. It should be remembered that in accordance with Art. 48 of the Act, the transfer of personal data to a third country that does not ensure an adequate level of personal data protection on its territory may only take place after obtaining the consent of the GIODO. The cloud computing agreement should also regulate what entities on the part of the service provider will have access to data processed in the cloud, what technical and physical security measures will be used by the service provider and what will be the procedure for deleting data in the event of termination of the contract.
It is very important that all these issues are regulated in the contract, because according to Art. 31 sec. 4 of the Act on the Protection of Personal Data, the responsibility for complying with the provisions of the Act rests with the data controller, which does not exclude the liability of the entity with which the controller concluded the contract for data processing inconsistent with this contract.
The provider of cloud computing services is subject to the Act on the provision of electronic services (data is provided by the user via the Internet). Therefore, if the service is provided on the territory of Poland, the supplier should meet the requirements imposed by this act: have regulations specifying the type of services provided, the conditions for providing these services, concluding and terminating the contract, complaint procedure. This act also specifies the conditions when the provider will not be responsible for the content of the data provided to him. Such information will certainly be very important for an entrepreneur who will be considering using cloud computing services from this provider.
Rules for the use of cloud services published by GIODO
Before concluding a cloud computing contract, it is worth analyzing the so-called The cloud-based decalogue, i.e. 10 rules published by GIODO, suggesting what to pay attention to when using cloud computing and concluding contracts with suppliers. Although the document is aimed at public administration and is not legislative in nature, it may be a source of valuable guidelines for entrepreneurs. GIODO recommends that in contracts, inter alia, impose on the provider an obligation to indicate the physical location of servers on which data will be processed, or an obligation to ensure access to security rules and technical measures adopted by the provider.
These rules may constitute a starting point for specific contractual solutions, and thus provide the entrepreneur who will use cloud computing services, security and certainty that the law is not violated.