Cloud service contracts (Article 28)
A GDPR-subject customer must put an Article 28 contract in place with its cloud provider. The GDPR lists mandatory processor terms: processing only on documented instructions, confidentiality, security measures, notice and right to object to sub-processors, flow-down to all sub-processors, help with data-subject rights, breach notification, deletion/return of data at the end, and audit rights. Processors also have direct GDPR duties (security, breach notification).
- Subject matter, duration, nature, purpose, data types and categories of data subject
- Process only on documented instructions, including for international transfers
- Persons processing the data are under a duty of confidentiality
- Prescriptive security measures
- Controller at minimum gets notice and a right of objection to sub-processors
- All sub-processors bound by the same obligations
- Help the controller meet its duties (data-subject rights, security, breach notification, DPIAs, regulator consultation)
- Delete or return all data once services end
- Make available information needed and allow audits
Beyond the contract, a processor has direct GDPR responsibilities - e.g. data security and the duty to inform the controller of . The contract doesn't replace those statutory duties.
Cloud providers often offer standard terms, which can clash with the bespoke Article 28 list. The EU Cloud Code (2021) requires adhering providers' standard terms to contain all required GDPR obligations, so choosing a Code-compliant provider can help a customer meet its own obligations.