Cloud computing: models and applicable law
Cloud computing is IT services delivered over the internet, split into IaaS, PaaS and SaaS by how much the supplier provides. Cloud infrastructure is shared, spread across countries and controlled by the supplier. Whether the GDPR applies turns on Article 3: an EU establishment, or offering goods/services to or monitoring EU individuals. The Weltimmo case shows even minimal activities in a member state can amount to an establishment.
| Model | Supplier provides | User remains responsible for |
|---|---|---|
| IaaS | Physical computing resources (e.g. servers) | Operating platform AND all applications |
| PaaS | Operating platform plus underlying hardware | Implementing and maintaining applications |
| SaaS | Infrastructure, platform AND application | Little - supplier provides the full stack |
- Cloud infrastructure is shared among the supplier's customers and can sit in several countries
- Customer data are moved around the infrastructure according to capacity
- The supplier determines location, security measures and service standards
Under Article 3, GDPR applies where processing relates to the activities of an EU establishment of the controller, OR relates to offering goods/services to, or monitoring the behaviour of, individuals in the EU - even when the controller/processor is not established in the EU. The second limb was new in the GDPR and significantly expanded its reach. In Weltimmo the CJEU said establishment turns on the degree of stability of arrangements and effective exercise of activities, and that even minimal activities (a local-language website, a representative, a letterbox, a bank account) can be enough.