GDPR and Cloud Computing: How to Define Responsibilities Between Customers and Cloud Providers
DPO Conslting Rejoin Grant Thornton
With the widespread adoption of cloud computing services, whether SaaS, PaaS, or IaaS, outsourcing information systems has become the norm. However, this technological agility comes with significant legal challenges. Under the General Data Protection Regulation (GDPR), every flow of personal data must be mapped and governed. Yet determining exactly who does what and who is responsible for what often proves to be a real challenge. While the allocation of roles may appear straightforward in theory, practice—particularly in complex cloud service arrangements—reveals a much more blurred boundary between stakeholders.
To fully understand the responsibilities involved, it is essential to revisit the three main GDPR roles.
The data controller is the natural or legal person (company, public authority, or organisation) that alone or jointly with others determines the purposes ("why") and means ("how") of processing personal data. It is the primary decision-maker. Two entities may be considered separate controllers within the same processing activity when each independently determines its own purposes and processing arrangements.
The processor processes personal data on behalf of the controller, strictly following documented contractual instructions. Processors have their own obligations, particularly regarding security measures, and must assist controllers, for example in the event of a personal data breach notification.
Joint controllership occurs when two or more entities jointly determine the purposes and means of a processing activity. They must transparently define their respective responsibilities towards data subjects, often through a joint controller agreement. Each party remains accountable for the GDPR obligations assigned to it.
This qualification is essential because the controller remains responsible for ensuring that its service providers comply with GDPR requirements. It must implement assessment and monitoring measures to verify compliance.
The nature of the relationship must also be clearly defined and governed through a contract in accordance with Article 28 of the GDPR.
An incorrect qualification may lead to unclear accountability, particularly regarding data subject rights requests, transparency obligations, and data security responsibilities.
To determine the correct qualification, organisations should ask:
When using cloud solutions, the customer is generally considered the data controller, while the cloud provider (hosting, maintenance, support) acts as a processor operating under the customer’s instructions.
However, depending on the evolution of the service and the purposes pursued, this allocation of responsibilities may change.
The reuse of data by a cloud provider to improve its own software may fall under three different legal qualifications.
The improvement benefits only one specific customer who requested it. The customer determines the purpose, essential means, and provides explicit instructions. The data used originate exclusively from that customer.
The processing aimed at improving the service serves a common interest. The customer and provider jointly determine the objectives and characteristics of the improvement.
The improvement is carried out solely at the provider’s initiative for its own purposes and those of future customers. The original customer has no involvement in the process, and the provider independently decides how to analyse, aggregate, or anonymise data from multiple customers.
Managing cloud security measures may also involve different levels of responsibility for the provider.
The provider acts solely as a processor regarding storage services and the customer’s use of data hosted in the cloud. In this case, it does not interfere with the purposes of processing and is not considered a controller.
Joint controllership may arise when the customer provides highly specific security instructions. The resulting technical processing then serves both the customer's information systems and the provider’s broader IaaS infrastructure. The customer therefore directly influences the security measures implemented.
More generally, where security measures benefit the entire cloud environment and all tenants, the provider acts on its own behalf. It possesses the technical expertise, accesses low-level logs, and independently determines the security purposes without instructions from customers.
There is no single model for qualifying the relationship between a customer and its cloud service provider under the GDPR. While the processor relationship generally applies to the core service, ancillary processing activities—such as service improvement or infrastructure-wide security management—may transform the provider into an independent controller or create a joint controllership arrangement.
This complexity requires legal, compliance, and IT teams to exercise increased vigilance. The qualification of stakeholders should not be treated as a generic contractual clause but rather as the result of a thorough analysis of the actual purposes and means of each processing activity.
Looking to secure your cloud contracts, properly define GDPR roles, or assess data protection risks linked to cloud outsourcing?
DPO Consulting supports organisations in cloud compliance projects, GDPR governance, vendor assessments, and data protection risk management.
👉 Learn more: https://www.dpo-consulting.com/outsourced-dpo
.svg)
.png)
