Guidance for Organisations Engaging Cloud Service Providers

A data controller must remain in control of the personal data it collects when it subcontracts the processing to a cloud provider. A key element of control is to ensure the security of the data. Controllers (both clients and cloud service providers) also need to be transparent about the processing of personal data. Important for both control and security is the location of the data. A related issue is also the requirement for a written contract.