The Danish Data Protection Authority has, following an inquiry from Region Midtjylland, considered whether providers of co-location of servers which are used for processing personal data should be considered data processors. In its inquiry, Region Midtjylland stated that co-location is a storage service provided by IT companies, and that the region places its own servers in a server cabinet with a company that provides the server cabinet.
The Danish Data Protection Authority generally concluded that a business, authority or other organisation that provides co-location of servers should not be considered data processors for the organisations or businesses to which the co-location service is delivered. As a prerequisite for its conclusion, the Danish Data Protection Authority emphasized that the provider of co-location does not have access to personal data on the servers the business stores. As an example, the Danish Data Protection Authority cites situations where the customer has placed its own servers with power and internet connections in a locked server cabinet, to which only the customer has access.
To justify its point of view, the Danish Data Protection Authority also emphasized that the provision of co-location for servers is primarily about the provision of a service other than the processing of personal data, through the provision of physical facilities, internet and power supply, and that the provider therefore does not initially have access to the information stored on the servers. The Danish Data Protection Authority emphasizes, however, that the statement only constitutes a starting point, and that other circumstances may lead to the co-location provider being considered a data processor.
As examples of circumstances that may lead to the provider being considered a data processor, the Danish Data Protection Authority highlights situations where the provider has access to the server cabinet, so that the personal data can be accessed. Other situations include where the provider can replace or otherwise process the hard drives that are stored or where the servers can be moved, turned off and on or otherwise handled. Another situation is where the provider offers additional services beyond just physical facilities, electricity and internet, for example services in the form of firewalls, back-up or other security measures that include the processing of personal data.
The Danish Data Protection Authority also noted that the co-location provider should, as a basis, be the data controller for the processing of personal data that takes place as part of the physical security measures that the provider has established, such as, e.g., registration of visitors, logging of key tags and camera surveillance. The Danish Data Protection Authority further noted that it is the businesses that use co-location who are obliged to establish and carry out controls with satisfactory processing security in line with GDPR Article 32. This means that the customer must be aware of the provider's security measures, and assess whether these are sufficient in relation to the processing activities carried out on the servers.
Overall, there is still reason to emphasize that the Danish Data Protection Authority's statements suggest that providers of server co-location should not be regarded as data processors, unless specific circumstances of the provider's service indicate that the provider is nevertheless involved with the personal data that is processed on the servers.
The decision can be read in its entirety here: