GA4GH GDPR Brief: Cloud Computing

4 March 2020

Cloud computing, GDPR

Cloud computing can be defined as a digital service that enables access to a scalable and elastic pool of shareable computing resources.  This access to large amounts of flexible computing resource can be of interest to organisations with large data sets, such as genomic databases. Developments in personalized medicine and AI enhance the relevance of cloud computing for genomic and health-related research.

Research organisations will often process personal data (e.g. genetic data and health data) and have to ensure compliance with the GDPR. Two key provisions for cloud computing are: 1) appointing a processor; and 2) transfers of personal data to third countries (i.e. those outside the EEA).

The research organisation which determines the purposes for and means by which genomic data are processed will be a controller. A cloud computing provider will be a processor – a “…person … which processes personal data on behalf of the controller”  and which must not process the personal data save as instructed by the controller

The research organisation is responsible for selecting a processor which is able to process personal data in accordance with the GDPR. This is not simply a matter of contractual commitments; the research organisation must also assess the suitability of the processor before appointment. Factors to consider include the type of processing (e.g. storage, structuring), risks to data subjects and mechanisms to meet data subject rights. 

The research organisation must further ensure that the processing is “governed by a contract or other legal act under Union or Member State law”. This contract must contain details of the personal data processing carried out by the processor and the obligations and rights of the research organisation. The GDPR stipulates provisions which must be included in the contract – such as security measures, assistance for the research organisation, restrictions on sub-contracting, audit rights and obligations to delete personal data at the end of the processing services, or to return it to the research organisation. The GDPR anticipates standard contractual clauses being adopted by the Commission or supervisory authorities. So far, only the Danish authority has adopted standard clauses.

A processor which does not comply with the data processing agreement appointing it may not just risk being in breach of contract. If this means that the processor has, in fact. determined the purposes and means of processing, then it will be considered a controller – with the heightened obligations and liability of a controller. 

If cloud computing will result in processing of personal data outside the EEA, the rules on transfers of personal data will apply. This may mean ensuring transfers are made on the basis of an adequacy decision, or are subject to appropriate safeguards – principally standard contractual clauses, or binding corporate rules.  These may be affected by pending legal cases.

Applicable national rules relevant to hosting health data on servers (e.g. as in France) must also be met by the cloud computing provider.

Further Reading

Relevant GDPR Provisions

Ruth Boardman is partner at Bird & Bird LLP and co-heads the International Privacy and Data Protection Group.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.