In the Cloud industry, companies can take on different roles. It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of such processing. This is particularly important in situations such as preventing a data breach where it will be necessary to determine which organization has what responsibility.
Sometimes, the same company could act as a data processor and as a data controller.
What is a data controller?
The data controller determines the purposes and the means of the processing of personal data. So, if your company decides ‘why’ and ‘how’, you are the controller of the personal data processing activities.
What is a data processor?
The data processor is a company processing the personal data on behalf of the data controller pursuant to the performance of a particular service or business offering.
However, the fact that one organization provides a service to another organization does not necessarily mean that it is acting as a data processor. It could be a data controller, depending on the degree of control it exercises over the processing operation.
The services provided by CloudBlue an Ingram Micro business will typically fall under one or more of these categories:
- Software as a Service (“SaaS”): CloudBlue provides software applications over the Internet and represents “Connect” and “Commerce as a Service” (or “Marketplace as a Service”) offerings.
- Platform as a Service (“PaaS”): CloudBlue provides and/or manages infrastructure required to run the “CloudBlue software”
In accordance with the regulatory guidance and industry practices, CloudBlue, as a cloud service provider, will be acting as a data processor of its customers.
Responsibilities Arising Out of the Processing of Personal Data
Under the applicable data protection laws, the controller is responsible for the processing of personal data, where the processor acts on controller’s instructions. However, in some jurisdictions such as in the European Union, both controllers and processors have their own separate legal obligations with regards to the handling and protection of personal data, for example: security of the data and data transfers.
In such regard, each company bears its own legal responsibility for its compliance with its own legal obligations. It is also important to understand that company’s liability towards the regulators or the responsible administrative authority for breaches by a company of the applicable laws, cannot be limited or excluded by law.
Taking into consideration the nature of the service provided by CloudBlue, multiple parties will play a role in in the security and protection of the personal data stored in and processed through CloudBlue’s platforms and cloud services.
- CloudBlue’s customer and such customer’s multiple business partners such as vendors, distributors and resellers all play a role. The acts and omissions of any party, other than CloudBlue authorized sub-processors, however, are fully outside of the control or the visibility of the Cloud services provider.
- Customer as the controller of the data maintains ownership of the personal data it uploads into CloudBlue products. Therefore, the customer selects which personal data can be processed, stored, and hosted through CloudBlue products. CloudBlue does not access or use the customer’s personal data for any purpose other than what is agreed with the customer in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body.
- The customer controls its data. Ingram Micro offers industry standard security features to protect and encrypt customer’s data in transit and at rest which are appropriate to the risks presented by the processing of the data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons.
- When evaluating the security of a cloud solution, it is important to understand and distinguish between the security of the cloud, and security in the cloud. Security of the cloud encompasses the security measures that CloudBlue implements and operates. CloudBlue is responsible for the security of the cloud. Security in the cloud, however, encompasses the security measures that the customer, as a data controller, implements and operates related to the CloudBlue products the customer uses. The customer is responsible for the security in the cloud and is responsible to receive awareness education and training with regular updates as relevant for the business role.