12.13 Cloud Computing

Where cloud based processing is operated on behalf of the data controller, (whether by the data processor itself or by its outsourced sub-processor), the archive retention policy for such processed data must comply with the data controller’s stated archive periods for the systems described in this guidance. I.e. the cloud based processing systems should not retain personal data in excess of the retention periods specified by the data controller. The exception to this is if the service provider has a lawful ground for keeping the information for a longer period, e.g. because it is required to do so by law. The data controller should also ensure the cloud based system isn’t based outside of the UK, the EEA or in a country which hasn’t otherwise received an adequacy decision from the European Commission. Now that the UK has left the EU, EEA transfers outside of these countries are possible but specialist advice should be sought from VeriFi.