Ten frequently asked questions before hiring cloud computing services:
P: what should analyse and take into account before hiring services for Cloud Computing?
R: To assess the type of data that is attending to their greater or lesser sensitivity.
–Learn about the types of cloud (private, public, hybrid) and the various forms of services (see the introduction of this guide).
–With these data decide which personal data will hire services of cloud computing and what prefer to remain in their own information systems.
P: what is my role as a client of a Cloud service, from the point of view of data protection rules?
R: –The client that hires cloud computing services continues to be responsible for theprocessing of personal data. Even if you hire them with a large multinational company.
–Which offers the hiring of cloud computing is a service provider who has the ratingof ‘processor’ under the data protection act.
P: What is the applicable law?
R: –The rules applicable to the client and the service provider is the Spanish legislation on data protection (organic law 15/1999, of December 13 and regulation of development – RLOPD – approved by Royal Decree 1720 / 2007).
–The application of Spanish legislation cannot be modified by contract.
P: What are my obligations as client?
R: –Request and obtain information on whether they take part or not third parties (subcontractors) in the delivery of cloud computing services.
Typically, they involved third parties. If so:
• You must give their conformity to the participation of third parties. For this reason,the cloud computing service provider has to inform you about the types of serviceswhich may be subcontracted to third parties.
• You have to meet the third-party companies involved (e.g. being able to access aweb page or through other options provided to you by the service provider).
P: Where can personal data be located? Is it relevant to your location?
R: –The location of the data is important because the guarantees required for their protection are different depending on the country in which they find themselves. The countries of the European economic area offer sufficient guarantees and he is not legally considered that there is an international transfer of data.
–If the data are located in countries that do not belong to the European economic area would have an international transfer of data, in which case, and depending on the country in which they are found, appropriate legal guarantees must be provided.
P: what commitments of confidentiality of personal data should I demand?
R: The cloud service provider must commit itself to ensure confidentiality using dataonly for contracted services. It must also commit to give instructions to the staff thatdepends on it so as to maintain the confidentiality.
P: How do I guarantee that I can recover the personal data that I am responsible for?
R: The supplier must be obliged, at the end of the service, to deliver the information to the client in the format agreed upon, so that this can store in their own systems oropt for moving to a new provider in a format that allows its use, in the shortest possible time, with total guarantee of the integrity of the information and without incurring additional costs.
P: How can I make sure that the ‘cloud’ supplier does not retain personal data if thecontract is extinguished?
R: Must provide for mechanisms that ensure the secure deletion of data when the client requests it, and in any case, at the end of the contract. (An appropriate mechanism is to require a certificate of destruction issued by the cloud computing provider or a third party).
P: safety measures are required?
R: The level of security required depends on the greater or lesser sensitivity of the personal data. In addition, access to information through communications networks must take into account a level of safety equivalent to the access in local mode. Ask the provider of cloud computing on the levels of security that offers and guarantees.
P: How can I ensure the exercise of the rights of access, rectification, cancellation and opposition (ARCO rights)?
R: Client cloud computing, as the data controller, must allow the exercise of the rights bow to citizens. To do this, the cloud provider must ensure their cooperation and the proper tools to facilitate the care of these rights.