Our Data Processing Agreement is designed to help Software-as-a-Service providers and other organisations providing cloud-based services to clarify with their customers how the parties will approach data breaches and compliance with the processor/controller relationship that may apply to them for the purposes of the EU General Data Protection Regulation (GDPR). It also includes a Schedule for addressing data breaches of jointly held personal information for the purposes of the Australian Notifiable Data Breaches Scheme.

Cloud Providers - are you ready for the Storm?

Australian cloud providers now need to contend with another layer of red tape - compliance with the Notifiable Data Breaches Scheme (the NDB Scheme) and the EU General Data Protection Regulation (GDPR). Under the NDB Scheme, cloud providers who 'hold' personal information and who are APP Entities need to approach data breaches as a serious issue. Failure to comply by a corporation can attract penalties of $2.1 million. In addition, from 25 May 2018 the GDPR will places obligations on cloud providers to take the processing of personal data more seriously than ever before. 

The Notificable Data Breaches Scheme

All Australian entities caught by the provisions of the Australian Privacy Act, have since 22 February 2018 been subject to the Notifiable Data Breaches Scheme, that requires eligible data breaches to be notified, and other steps to be taken, where data breaches occur that are likely to result in serious harm. The assessment, remediation, notification and other processes that need to be carried out are significant as are the penalties for non-compliance with the new privacy regime (up to $2.1 million for corporations). Australian entities can therefore no longer turn a blind eye when it comes to preparing for and acting when notifiable data breaches occur. These new laws are notable for cloud service providers which ‘hold’ personal information. Under the Australian Privacy Act, Australian entities can ‘hold’ personal information by having the possession of that information through physical or electronic possession and may also ‘hold’ personal information through having control of it – for example by having the right or power to deal with the personal information (despite not physically possessing or owning the medium on which it is stored). It is likely that most cloud services providers will be deemed to ‘hold’ personal information stored on their physical or virtual computer servers.

The EU General Data Protection Regulation (GDPR)

To add to the regulatory red tape that the new Australian laws provide, from 25 May 2018, a new regulation is coming into effect known as the EU General Data Protection Regulation (GDPR). The GDPR, although a regulation of the European Union (EU), has far reaching consequences for Australian organisations that provide goods or services not only to EU citizens – but to any persons while they are in the European Union and when monitoring the behaviour of persons in the EU. Non-compliance with the GDPR carries with it even bigger penalties – the greater of 4% of a company’s annual global turnover and €20 million.

What this document includes

Using DocuStream you can generate a Data Processing Agreement between a Cloud Services Provider and its customers, which includes:

• The parties' agreement as to how long the cloud provider can process the customer's personal data for;
• A commitment by each party to comply with applicable Data Protection Laws;
• ​The parties' agreement to cooperate to assist with compliance matters;
• ​What is to occur at the end of the agreement - in relation to the return and destruction of personal data;
• ​How the parties will approach the data breaches involving personal data jointly held by them;
• Clauses making it clear that the customer remains responsible for ensuring that the data it uploads into the proider's cloud services has all necessary consents, authorisations and approvals, and what occurs when they are revoked;
• A clause making it clear what the customer's instructions are to the cloud provider for the processing of personal data under the GDPR;
• ​A description of whose personal data will be processed by the cloud services;
• ​A list of the different types of personal data that will be processed by the cloud services;
• A list of technical and organisational security processes and procedures that will be implemented by the cloud provider to protect personal data; 
• ​Commitments around subprocessing and international transfers by the cloud provider in line with the requirements of the GDPR;
• ​An agreed position on how data breaches will be addressed for the purposes of the NDB Scheme;​
• A separate position on how data breaches will be addressed for the purposes of the GDPR;
• ​Commitments around providing data subjects with access to their data, the right to data portability, the right to withdraw consent, the right to restrict processing and other rights granted to data subjects pursuant to the GDPR

Common questions

When does the Notifiable Data Breaches Scheme come into effect?

It already has. It came into effect on 22 February 2018.

Does the GDPR apply to Australian cloud providers?

Article 3 of the GDPR makes it clear that the GDPR applies to organisations that provide goods or services not only to European Union (EU) citizens – but to any persons while they are in the European Union. It also applies to the monitoring of the behaviour of any persons in the EU. This includes many Australian cloud service providers, including data hosting providers, software-as-a-service (SAAS) and other online platform operators who typically permit access to their cloud services by persons from anywhere in the World with an internet connection, including from Europe.

When does the GDPR come into effect?

25 May 2018.

Does the GDPR really prevent cloud providers from engaging upstream hosting providers? 

Yes, unless the GDPR is complied with when engaging them.

How much free legal advice does this template come with?

This template comes with 15 minutes of free telephone legal advice from Arnotts Technology Lawyers. During this time, Arnotts will answer any questions they can about the template, to the extent possible within the 15 minutes allocated.