All the companies which are foreseen the possibility to change its manner to storage, use and manage its data have to seriously pay attention to the contractual criteria used by the cloud computing companies. According to the Spanish Data Protection Agency (hereinafter, “AEPD”) the contractual samples used by such companies does not include the minimum levels of protection required to guarantee a safely use of such technology by whatever company, and to have regulated the consequences of a termination of this kind of agreement.

Then, it is important to underline some basic aspects that we understand have to be included in the Cloud Computing Services Agreement to be executed with the cloud computing company:

• It has to be included the geographic situation of the cloud computing company servers. And it will be interesting to obligate the company to have the servers in Europe, having then a good level of protection according to the current data protection directive (Directive 95/46/EC, ‘the Data Protection Directive’) and the relevant national implementation in the EU members. If the servers are in the United States of America it is convenient to take a look to the secrecy laws there and try to regulate contractually the protection of the data in such server.

• It is convenient to not admit subcontractors in such kind agreement, establishing the contract as a “intuitu personae” Agreement. • Regulate the consequences of the agreement termination and the portability of the data (assign, destroy, or transfer the data).

• Set forth the obligation for the cloud computing company server to provide auditor reports related to the safety measures adopted, following EU member national regulations as for example in Spain (article 96 of the regulation for the development of the Data Protection Law) which includes such provision as mandatory for the medium safety level of protection (for example, for files containing a set of personal data which provide a definition of the characteristics or personality of citizens, evaluating aspects of their personality or behaviour).

• Applicable Law: in Spain the protection data law says that applicable law is the national law of the cloud computer user has its domicile.

It seems then that again the technology goes faster than the law and that all things not covered by the current Data Protection Directive has to be strictly regulated by the parties in the relevant contracts to preserve and have the best guarantee of protection of the data of a company. We expect that with the new EU regulation (being directly applicable in all EU members), which have to be voted by the European Parliament next 2014 to replace the current Data Protection Directive, will cover as better as possible all different scenarios created by cloud computing companies to have protected the companies which want to use such new method to storage, manage and use the company’s data, generating better legal certainty and safety for these new users.