Cloud: controllership issues
In most supply-of-services cases the customer is the controller (it decides purposes and means) and the supplier is a processor. But in cloud this can't be assumed. A processor can choose non-essential means (e.g. hardware) without becoming a controller, but deciding essential means like , or processing data for its own purposes, makes it a controller. The contract matters but is not conclusive on its own.
| Question | Effect on supplier's status |
|---|---|
| Supplier decides only non-essential means (e.g. hardware)? | Can remain a processor |
| Supplier decides essential means (e.g. retention periods)? | Becomes a controller |
| Supplier processes customer data for its OWN purposes? | Becomes a controller of that data |
| Supplier acts outside the controller's instructions? | Becomes a controller |
Why it matters: (and joint controllers) carry significantly more GDPR obligations than processors. The contract helps allocate roles but the contractual relationship in isolation is not conclusive - otherwise parties could artificially shift a controller's responsibilities. A processor must act only on the controller's instructions, but those instructions can be general.
Cloud providers increasingly want to use customer data for their own purposes (e.g. to improve services). The moment they do, they become a controller of that data - a growing source of disputes.