We are continuously taking actions to ensure that we continue to comply with the new General Data Protection Regulation (GDPR). We recently released our Commissioned Data Processing Agreement (CDPA), an agreement that governs how we process data in accordance with GDPR. It is important to understand the relationship between our mutual responsibilities as user and supplier of cloud services, this is something we detail in this article. We will also explain some of the specific steps that we have taken to ensure and future proof our GDPR compliance and what you as a user of our services need to do next.
YES, this means that all our existing and potential users can continue to store data in City Cloud, where we will process said data in a GDPR compliant manner, in any of our EU locations.
NO, storing data in City Cloud does not automatically make your organisation GDPR compliant. (More on this further down)
Our different data relationships
This is an extremely important aspect when it comes to protecting personal data – understanding the relationships and chain of responsibility between you and your service providers and also your mutual responsibilities towards Data Subjects.
You Data Subject, we Data Controller
You are the DATA SUBJECT
City Network is the DATA CONTROLLER
City Network’s vendors are DATA PROCESSORS
You Data Controller, we Data Processor
When you start using our services and, most likely, store your customers personal data in our services we have a second relationship. This time around, you are the data controller of your customers data and City Network becomes a data processor of said data. For this interaction, we can guarantee that we will process your customers personal data in a GDPR compliant manner.
Your customers are DATA SUBJECTS
You are the DATA CONTROLLER
City Network is the DATA PROCESSOR
As you can see, the chain of responsibility must stay intact throughout the entire process and this chain can be as long as there are SUBJECT / CONTROLLER / PROCESSOR -relationships. Most importantly, you must understand that there is no such thing as GDPR compliance by proxy. Storing your customers personal data in a GDPR compliant service does not automatically make your organisation GDPR compliant.
The binding agent – CDPA
To ensure that the chain of responsibility is intact and that handling of personal data is properly managed, in cases where the data controller and the data processor is not the same entity, GDPR demands that a data processing agreement is signed. The Commissioned Data Processing Agreement (CDPA) is a non-transferable agreement which means that a CDPA is required for each and every relationship between a data controller and it’s data processors.
Our CDPA is mandatory for all users of our cloud services regardless of their current intentions regarding collection and storage of personal data in our cloud services. By the sheer nature of our cloud services, encryption and other security and privacy measures, we can not control or see what our users choose to store in our cloud services. Therefore, this is a proactive approach to make sure that the CDPA with it’s clear instructions of responsibility is in effect IF our users decide to collect and store personal data in our cloud services at any time in the future.
In short, The CDPA governs our mutual responsibilities to protect personal data as data controller (You/your organisation as obtainer or potential obtainer of personal data) and data processor (City Network Hosting AB as supplier of the cloud service in which said data is stored).
Signing our CDPA is mandatory for all business users and you can find it by logging in to citycontrolpanel. After signing the agreement, you will receive a copy via email.
What we have done to ensure GDPR compliance
We have spent the last 4 years ramping up our security and privacy measures. Albeit not for the sake of GDPR alone, some of the things that we have done has been directly connected to demands deriving from the new law.
Lifecycle management – New and better processes in place to ensure that no End of Life software, hardware or peripherals are used in any of our systems.
Decommissioned systems – Systems or parts of systems that are no longer viable to update or upgrade has been decommissioned
What we are continuously doing to improve security and privacy
ISO certifications – City Network has a wide range of ISO certifications that ensure our compliance with strict security and privacy regulations as well as environmental and business continuity aspects. To date, we are certified according to the following ISO standards:
Family of Information Security Management Standards
27001 – ISMS
27010 – (Compliant Cloud only)
27013 – (Compliant Cloud only)
27015 – (Compliant Cloud only)
27017 – (Compliant Cloud only)
27018 – (Compliant Cloud only)
What we are looking to do in the near future
We have always glanced at the Germans and the BSI whom we believe to have rigorous processes to ensure information security and compliance, particularly for cloud services. This year we are embarking the C5 certification process which is a certification specifically for cloud service providers. If you are interested in reading more about this certification, you can find more information here.