Commissioned Data Processing Agreement

Özgür Bal Uncategorized Leave a Comment

We are continuously taking actions to ensure that we continue to comply with the new General Data Protection Regulation (GDPR). We recently released our Commissioned Data Processing Agreement (CDPA), an agreement that governs how we process data in accordance with GDPR. It is important to understand the relationship between our mutual responsibilities as user and supplier of cloud services, this is something we detail in this article. We will also explain some of the specific steps that we have taken to ensure and future proof our GDPR compliance and what you as a user of our services need to do next.

YES, this means that all our existing and potential users can continue to store data in City Cloud, where we will process said data in a GDPR compliant manner, in any of our EU locations.
NO, storing data in City Cloud does not automatically make your organisation GDPR compliant. (More on this further down)


Our different data relationships

This is an extremely important aspect when it comes to protecting personal data – understanding the relationships and chain of responsibility between you and your service providers and also your mutual responsibilities towards Data Subjects.


You Data Subject, we Data Controller

In the first interaction with City Network, when you become a customer of ours by signing up for our services, we become a data controller of your Personal Data. Our general terms and our privacy policy states exactly what we do with your data and you can find them right <a href=””>here</a>. For this interaction, we can guarantee that we will control your personal data in a GDPR compliant manner and that we have signed data processing agreements with our vendors so that your data is also processed in a GDPR compliant manner.


You are the DATA SUBJECT
City Network is the DATA CONTROLLER
City Network’s vendors are DATA PROCESSORS

In other words: You (DATA SUBJECT) provide personal data to City Network (DATA CONTROLLER) who promises (through General Terms and privacy policy) to control your Personal Data according to the GDPR and that it has signed agreements with it’s vendors (DATA PROCESSORS) so that your personal data is processed according to the GDPR.


You Data Controller, we Data Processor

When you start using our services and, most likely, store your customers personal data in our services we have a second relationship. This time around, you are the data controller of your customers data and City Network becomes a data processor of said data. For this interaction, we can guarantee that we will process your customers personal data in a GDPR compliant manner.


Your customers are DATA SUBJECTS
City Network is the DATA PROCESSOR

In other words: Your customers (DATA SUBJECTS) provide personal data to you (DATA CONTROLLER) who promises (most likely through your General terms and privacy policy) to control their personal data according to the GDPR and also that you have signed agreements with your vendors (DATA PROCESSOR) so that data that you store with said vendors are processed according to the GDPR.

As you can see, the chain of responsibility must stay intact throughout the entire process and this chain can be as long as there are SUBJECT / CONTROLLER / PROCESSOR -relationships. Most importantly, you must understand that there is no such thing as GDPR compliance by proxy. Storing your customers personal data in a GDPR compliant service does not automatically make your organisation GDPR compliant.


The binding agent – CDPA

To ensure that the chain of responsibility is intact and that handling of personal data is properly managed, in cases where the data controller and the data processor is not the same entity, GDPR demands that a data processing agreement is signed. The Commissioned Data Processing Agreement (CDPA) is a non-transferable agreement which means that a CDPA is required for each and every relationship between a data controller and it’s data processors.

Our CDPA is mandatory for all users of our cloud services regardless of their current intentions regarding collection and storage of personal data in our cloud services. By the sheer nature of our cloud services, encryption and other security and privacy measures, we can not control or see what our users choose to store in our cloud services. Therefore, this is a proactive approach to make sure that the CDPA with it’s clear instructions of responsibility is in effect IF our users decide to collect and store personal data in our cloud services at any time in the future.

In short, The CDPA governs our mutual responsibilities to protect personal data as data controller (You/your organisation as obtainer or potential obtainer of personal data) and data processor (City Network Hosting AB as supplier of the cloud service in which said data is stored).

Signing our CDPA is mandatory for all business users and you can find it by logging in to citycontrolpanel. After signing the agreement, you will receive a copy via email.


What we have done to ensure GDPR compliance

We have spent the last 4 years ramping up our security and privacy measures. Albeit not for the sake of GDPR alone, some of the things that we have done has been directly connected to demands deriving from the new law.

Lifecycle management – New and better processes in place to ensure that no End of Life software, hardware or peripherals are used in any of our systems.

Decommissioned systems – Systems or parts of systems that are no longer viable to update or upgrade has been decommissioned


What we are continuously doing to improve security and privacy

ISO certifications – City Network has a wide range of ISO certifications that ensure our compliance with strict security and privacy regulations as well as environmental and business continuity aspects. To date, we are certified according to the following ISO standards:


Family of Information Security Management Standards

27001 – ISMS

27010 – (Compliant Cloud only)

27013 – (Compliant Cloud only)

27017 – (Compliant Cloud only)

27018 – (Compliant Cloud only)

Business Continuity




Management System



What we are looking to do in the near future

We have always glanced at the Germans and the BSI whom we believe to have rigorous processes to ensure information security and compliance, particularly for cloud services. This year we are embarking the C5 certification process which is a certification specifically for cloud service providers. If you are interested in reading more about this certification, you can find more information here.