DRAFT Notes on the Main Issues of Cloud Computing Contracts (prepared by the UNCITRAL secretariat, 2019): Data protection

Personal data are subject to special protection by law in many jurisdictions. Law applicable to personal data processing may be different from the law applicable to the contract. It will override any non-compliant contractual clauses.

The contract may include a data protection or privacy clause, data processing agreement or similar type of agreement, although some providers may agree only to the general obligation to comply with applicable data protection laws. In some jurisdictions, such general commitment may be insufficient: the contract would need to stipulate at a minimum the subject matter and the duration, nature and purpose of the personal data processing, the type of personal data and categories of data subjects and the obligations and rights of the data controller and the data processor. Where the possibility of negotiating a data protection clause in the contract does not exist, the customer may wish to review standard terms to determine whether the provisions give the customer sufficient guarantees of lawful personal data processing and adequate remedies for damages.

The customer will likely be the data controller and will assume responsibility for compliance with the data protection law in respect of personal data collected and processed in the cloud. The parties may agree on contractual clauses aimed at ensuring compliance with the applicable data protection regulations, including requests related to the data subjects’ rights. The parties may also agree on separate remedies should those clauses be breached, including unilateral termination of the contract and compensation for damages.

Providers’ standard contracts usually stipulate that the provider does not assume any data controller role. The provider will likely act as the data processor only when it processes the customer’s data according to instructions of the customer for the sole purpose of providing the cloud computing services. The provider may, however, be regarded as the data controller in some jurisdictions, regardless of contractual clauses, when it further processes data for its own purposes or upon instructions of State authorities and could thus assume full responsibility for personal data protection in respect of that further personal data processing. Read more.

To the main page

To the precontractual aspects

To other contractual aspects

To the Glossary