Our Data Processing Agreement is designed to help Software-as-a-Service providers and other organisations providing cloud-based services to clarify with their customers how the parties will approach data breaches and compliance with the processor/controller relationship that may apply to them for the purposes of the EU General Data Protection Regulation (GDPR). It also includes a Schedule for addressing data breaches of jointly held personal information for the purposes of the Australian Notifiable Data Breaches Scheme.
Australian cloud providers now need to contend with another layer of red tape - compliance with the Notifiable Data Breaches Scheme (the NDB Scheme) and the EU General Data Protection Regulation (GDPR). Under the NDB Scheme, cloud providers who 'hold' personal information and who are APP Entities need to approach data breaches as a serious issue. Failure to comply by a corporation can attract penalties of $2.1 million. In addition, from 25 May 2018 the GDPR will places obligations on cloud providers to take the processing of personal data more seriously than ever before.
All Australian entities caught by the provisions of the Australian Privacy Act, have since 22 February 2018 been subject to the Notifiable Data Breaches Scheme, that requires eligible data breaches to be notified, and other steps to be taken, where data breaches occur that are likely to result in serious harm. The assessment, remediation, notification and other processes that need to be carried out are significant as are the penalties for non-compliance with the new privacy regime (up to $2.1 million for corporations). Australian entities can therefore no longer turn a blind eye when it comes to preparing for and acting when notifiable data breaches occur. These new laws are notable for cloud service providers which ‘hold’ personal information. Under the Australian Privacy Act, Australian entities can ‘hold’ personal information by having the possession of that information through physical or electronic possession and may also ‘hold’ personal information through having control of it – for example by having the right or power to deal with the personal information (despite not physically possessing or owning the medium on which it is stored). It is likely that most cloud services providers will be deemed to ‘hold’ personal information stored on their physical or virtual computer servers.
To add to the regulatory red tape that the new Australian laws provide, from 25 May 2018, a new regulation is coming into effect known as the EU General Data Protection Regulation (GDPR). The GDPR, although a regulation of the European Union (EU), has far reaching consequences for Australian organisations that provide goods or services not only to EU citizens – but to any persons while they are in the European Union and when monitoring the behaviour of persons in the EU. Non-compliance with the GDPR carries with it even bigger penalties – the greater of 4% of a company’s annual global turnover and €20 million.
Using DocuStream you can generate a Data Processing Agreement between a Cloud Services Provider and its customers, which includes:
When does the Notifiable Data Breaches Scheme come into effect?
It already has. It came into effect on 22 February 2018.
Does the GDPR apply to Australian cloud providers?
Article 3 of the GDPR makes it clear that the GDPR applies to organisations that provide goods or services not only to European Union (EU) citizens – but to any persons while they are in the European Union. It also applies to the monitoring of the behaviour of any persons in the EU. This includes many Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators who typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including from Europe.
When does the GDPR come into effect?
25 May 2018.
Does the GDPR really prevent cloud providers from engaging upstream hosting providers?
Yes, unless the GDPR is complied with when engaging them.
This template comes with 15 minutes of free telephone legal advice from Arnotts Technology Lawyers. During this time, Arnotts will answer any questions they can about the template, to the extent possible within the 15 minutes allocated.
An acceptable use policy for a cloud platform...Read more
Generate NowA privacy policy for a cloud services provider (updated to cater for the Australian Notifiable Data ...Read more
Generate NowA policy that a company can implement that regulates how employees can use the company's computers, ...Read more
Generate NowOur Data Breach Response Plan template is designed to outline how an organisation contains, assesses...Read more
Generate NowAn undertaking in the form of a deed poll that can be given by an employee in relation to confidenti...Read more
Generate NowOur Data Processing Addendum is designed to help service providers and other organisations providing...Read more
Generate NowA privacy policy for a Services Provider, including a Professional Service Provider, IT Support Prov...Read more
Generate Now