Effective 25 May, 2018, the General Data Protection Regulation (“GDPR”) governs how companies must handle the personal data of EU residents, regardless of where in the world the data is located.
Article 4 of the GDPR classifies those who handle data as ”data controllers” or “data processors”. A data controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while a data processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller.” “Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Broadly speaking, controllers are obligated to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR, and processors must provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.”
APPLICATION OF THE GDPR TO WEBAIR’S COLOCATION SERVICES
In connection with its colocation services, Webair is neither a controller nor a processor of the data on its customers’ servers: Webair does not “determine the purposes and means” of processing such data, and does not undertake any activities with respect to such data that fall within the definition of “processing.”
In addition, Webair is a “mere conduit” for such data and is not liable for the information transmitted:
Article 2 of the GDPR, “Scope,” provides in part,
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Articles 12 of Directive 2000/31/EC provides:
ARTICLE 12. “Mere conduit”
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement.
APPLICATION OF THE GDPR TO WEBAIR’S HOSTING SERVICES
Although certain of the services provided by Webair in relation to hosting – such as data storage – are within the definition of “processing,” Webair does not itself undertake any such activities – rather, it provides the hardware and software upon which its customers can do so. Further, to the extent that Webair provides customers with access to automated means by which they can process their data, Webair does not know whether the data processed by its customers is personal data or not.
In addition, Webair is not liable for information hosted on its servers pursuant to Article 14 of Directive 2000/31/EC, which provides:
Article 14. Hosting
1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.
2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.
APPLICATION OF THE GDPR TO OTHER SERVICES
To the extent, if any, that Webair is a data processor with respect to any services, Webair will agree to contractual assurances of compliance, to the extent appropriate in light of the services provided.
With respect to the specific requirements of Article 28 of the GDPR, to the extent, if any, that Webair processes personal data:
- The processing activities provided by Webair are content-neutral, in that Webair does not know whether the data being stored or transmitted includes or comprises personal data. Nonetheless, Webair does not process personal data except upon documented instructions from the controller.
- All persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Webair takes all measures required pursuant to Article 32;
- Webair respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
- taking into account the nature of the processing, Webair assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
- Webair assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
- At the choice of the controller, Webair deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- Webair makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.