General Data Protection Regulation

GDPR is built on seven fundamental principles that underpin all data processing activities:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

GDPR grants EU data subjects robust rights over their personal data, including:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure (“right to be forgotten”)
• The right to restrict processing
• The right to data portability
• The right to object
• The right not to be subject to automated decision-making, including profiling

GDPR applies to all personal data processed in the cloud, regardless of where the service provider is based. Cloud providers like Exoscale are considered “processors” under GDPR, while customers typically act as “controllers.”

Both cloud providers and customers must ensure that data protection and privacy requirements are fully met, including through data processing agreements, technical security measures, and clear roles and responsibilities.

While Exoscale provides a secure and GDPR-compliant platform, customers are responsible for ensuring their own applications and data handling practices meet GDPR obligations.

This includes: - Determining the legal basis for data processing. - Honoring data subject rights. - Ensuring adequate security measures and configurations. - Signing appropriate data processing agreements with Exoscale. - Notifying authorities and affected individuals in the event of a breach, when required.