Hosting services: 100,000 euro fine to a company
The AEPD has fined a company that offered data and APP hosting services €100,000 for not returning the data hosted to one of its clients.
What does the GDPR and the AEPD say about hosting services companies?
From reading the sanctioning resolution and many others, it can be deduced that companies that host data (personal but also other types) on behalf of their clients are considered the processors.
According to the GDPR, these are the ones who process personal data “on behalf of their clients”. In other words, when a company decides to subcontract a service and this implies that the provider is going to access personal data collected by the client, this service provider will be considered the party in charge of processing, or the processor.
Its task is none other than to process (in the broadest sense of the term) the data, to fulfil the mandate of its client who is, in turn, the controller.
What are the obligations of the processor?
In essence, its functions and obligations are set out in a contract that must be signed between the processor and the controller. In this contract, which is mandatory according to the GDPR, the purpose or purposes of the processing or use of the data or information will be clearly established. Likewise, the obligation is set forth for the processor that, once the contract is resolved or terminated, he must, at the client’s discretion, return the data or destroy it, proving in the latter case that destruction has been effective.
Hosting services: What does the AEPD sanction?
Although it is not an excessively recent sanction, it is exceptional because of its content, and it is certainly a warning for hosting companies (and other computer services) that they are clear about their obligations when entering into a contract with a client.
In this case, the aforementioned client repeatedly asked for their databases and applications to be hosted on servers other than those managed by the hosting company. Faced with such a request, the provider delayed the solution to the point that it did not collaborate in any way in the efficient transfer of the data.
This situation meant that the client was unable to comply with obligations and procedures as basic as the payment of certain taxes or bank transfers. Due to this situation and the damage caused to the client, the AEPD sanctioned the hosting provider with a fine of € 100,000.
If you are a hosting company or other computer service company remember that:
- If your clients host personal data on the servers or if you have access to them while providing the service, you will be considered the data controller.
- Bear in mind that the GDPR forces those responsible for processing (your clients) to enter into contracts only with providers that certify their compliance with current regulations.
- Make sure to sign a contract with all your clients with the content established by the GDPR. The AEPD in its day published a model contract for this purpose.
- When the contract or the service ends, you must take measures in order to ensure the client regains control of their data and that this process does not cause operational problems. In some cases, the client may even ask you to transfer the data to a new provider, in which case you must also collaborate with him.
If you have any doubts about this or any other issue, please contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.