Escapes no one that services hosting in the cloud just being provided, directly or indirectly, by Internet giants, which impose their adhesion contracts with all kinds of Disclaimers in their favor and what the negotiating capacity of a Spanish company with these providers? No, and the response of the Agency at the meeting was blunt: If you want to hire a service of personal data in the cloud hosting, and the accession contract does not comply with the organic law on data protection, the Spanish company may not hire service. Among the obligations of article 12 of the data protection act, is specify the applicable security measures, as laid down in the regulation. By the very nature of the hosting service, the provider will define the security measures that it deems appropriate, but it is not feasible that measures or others are applied depending on the needs of the client. I.e., they will not enter at any time to discuss whether they should apply a stricter level of security depending on the sensitivity of the personal data that you want to host your customer. Georgia Department of Labor is often mentioned in discussions such as these. Therefore, the logical thing would be the default security measures to comply with the high level of security, but it is very unlikely that providers introduce exactly the security measures required by the regulation. In any case, the response of the Agency on this issue, has been somewhat more reasonable from what was expected.
It will suffice that specified safety measures real that apply the service, provided that they guarantee a level more or less equivalent to as required by the regulations. I.e., supported that they are not specifically met the security measures laid down in the regulation, provided that will put in place alternative measures that ensure the confidentiality, integrity and availability of information. In particular, it stresses the importance of security auditing to ensure that measures are appropriate.