Through the Guidelines for the Protection of Personal Data in cloud computing services, the Superintendency of Industry and Commerce issued a series of recommendations to be followed by those that collect and decide about the processing of personal data (the “Data Controllers”), in cases in which Data Controllers contract with a third party (the “Data Manager”) in order to process personal data on behalf of the former, using cloud computing services (media and platforms).
Within these recommendations, the Superintentency mentions that the Data Controllers must identify the type of personal data that will be processed through cloud computing services, request and study the experience and professionalism of the Data Manager, and ask for the location of the servers used by the Data Manager for the processing of personal data, among others.
Similarly, the Guidelines indicate that contracts between the Data Controller and the Data Manager for the processing of personal data through cloud computing services, should clearly define the terms and conditions of the service, agreeing at least the following: (i) the purpose of the processing of personal data; (ii) the obligation for the Data Manager to report security incidents; (iii) how the Data Manager will assist the Data Controller for implementing mechanisms that allow data subjects to exercise their rights; (iv) the existence of subcontractors for the processing of personal data; (v) the use of necessary measures to ensure the security and guarantee the confidentiality of the personal data; (vi) the obligation for the Data Manager to update and rectify the information in accordance with the instructions of the Data Controller; (vii) how the personal data is stored; (viii) how the devolution and the destruction of the personal data will take place; and (ix) agreements about the service and for noncompliance.