If I store a person’s data in a cloud storage service provided by a third party, do I need to explain this in my privacy policy?
Though we are not legal experts, we think so:
Article 13(1)(e) – This article states that when personal data is collected from individuals, the controller (i.e., the organization collecting the data) must provide the individual with information about the “recipients or categories of recipients” of the personal data.
Under the UK GDPR, individuals have the right to know where their personal data is being stored and who has access to it. As a result we think you should explain in your privacy policy that you are using a cloud storage service provided by an outside organisation to store personal data. When explaining the use of cloud storage services in your privacy policy, you should provide details such as the name of the service provider, the type of data being stored, the purpose for which it is being stored, the location of the data, and any security measures you might have in place to protect the data. It’s also important to note that when using a cloud storage service, you should ensure that the service provider is compliant with the UK GDPR and that they have appropriate security measures in place to protect the personal data stored on their servers.