Logo and page links

Main menu

Special issues

In principle, providers of cloud computing services enjoy some advantages over providers of traditional server services.

 For example, cloud-based services offer more flexibility and integrated solutions. However, such advantages also raise some special issues, which the data controller must address:

Backup copying/mirroring: How does this work? Are personal data transferred to another country for redundancy, e.g. from Ireland to the USA or from Germany to India? Is such redundancy in accordance with the agreements that have been entered into? How are the personal data processed after they have been transferred?

Segmenting: The Norwegian Data Protection Authority has stated that the data controller's personal data must not be mixed with personal data from another data controller. How does the service provider handle this issue?

Access management: Which of the service provider's staff have access to the personal data being processed? Do the access management controls comply with statutory requirements and the vendor's own internal control systems? See also the section on risk assessment and data security.

Authorised and unauthorised use: Does the solution permit the logging of authorised and unauthorised use, pursuant to Section 2-14 of the Personal Data Regulations?

Documentation: Is the solution adequately documented with regard to controls by public authorities?

Where is data stored? Transfer to a third country: In principle, personal data may not be transferred to countries outside the EEA. However, one-off transfers may be approved in advance by the Norwegian Data Protection Authority. In addition, certain countries have been approved by the EU as safe receiving states. Enterprises that wish to transfer personal data abroad must comply with the provisions of Chapter 5 of the Personal Data Act and Chapter 6 of the Personal Data Regulations.

Deletion: Are personal data deleted within a "reasonable time"? The data processor has no right to process personal data after being asked to delete them by the data controller.

Use for own purposes: Does the data processor have a clause in the agreement entitling them to use data for their own purposes (e.g. to improve their own services)? The enterprise must ensure that the data processor agreement carries more weight than any other, and that the service provider does not have a privacy waiver that can supersede this. The data controller must ensure that the personal data being processed are used only for explicitly stated purposes that are legitimately justified by the activities of the data controller, as stipulated in Section 11(b) of the Personal Data Act.

Subcontractors: Does the data processor make use of subcontractors? The identities of any subcontractors must be known to and approved by the enterprise. This relates to the issue discussed above concerning where data are stored and whether they are transferred to a third country.