A privacy policy for a cloud services provider (updated to cater for the Australian Notifiable Data Breaches Scheme and the EU General Data Protection Regulation (GDPR))

How this document can help you

With the enactment of the Australian Notifiable Data Breaches Scheme (NDB Scheme) and the EU General Data Protection Regulation (GDPR), Privacy Law has now been brought head on into the digital age, bringing with its significant challenges for Australian cloud services providers with cloud services that can be accessed from anywhere in the World. Our Cloud Services Privacy Policy is designed for a company providing hosting services or otherwise providing Software-as-a-Service or other "as a service" services over the Internet to customers. Failure to comply with the Australian Notifiable Data Breaches Scheme carries with it penalties of $2.1 million for organisations. Non-compliance with the GDPR carries with it even bigger penalties – the greater of 4% of a company’s annual global turnover and €20 million.

What it includes

Our template includes the following sections:

• Our legal obligations
• About this Privacy Policy
• Personal data we collect and how we use it
• Data retained in accordance with Australia's telecommunications data retention laws (which will apply to some cloud services providers)
• Automated decision making
• Who we share personal data with
• Third party platforms
• Security
• Privacy tools
• If you refuse to provide us with personal data
• Spam email
• Contractors and offshore providers
• GDPR offshore transfers
• Retention and de-identification of personal data
• Your rights under the GDPR

and more....

Common questions

When does the Notifiable Data Breaches Scheme come into effect?

It already has. It came into effect on 22 February 2018.

Does the GDPR apply to Australian cloud providers?

Article 3 of the GDPR makes it clear that the GDPR applies to organisations that provide goods or services not only to European Union (EU) citizens – but to any persons while they are in the European Union. It also applies to the monitoring of the behaviour of any persons in the EU. This includes many Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators who typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including from Europe.

Does the NDB Scheme apply to all Australian cloud services providers?

See: Entities covered by the NDB scheme

When does the GDPR come into effect?

25 May 2018.

Does the GDPR really prevent cloud providers from engaging upstream hosting providers? 

Yes, unless the GDPR is complied with when engaging them.

How much free legal advice does this template come with?

This template comes with 30 minutes of free telephone legal advice from Arnotts Technology Lawyers. During this time, Arnotts will answer any questions they can about the template, to the extent possible within the 30 minutes allocated.