by Aurélie Banck//
On 28 May 2026, the French Data Protection Authority (CNIL) published guidelines on how to qualify the respective roles of cloud computing providers and their clients under the GDPR1. The exercise is timely: in an ecosystem built around IaaS, PaaS and SaaS offerings — where the division of responsibility shifts depending on the provider’s level of control and the client’s room for configuration — qualification is rarely as simple as “the provider processes, the client decides.” The CNIL’s central message is straightforward but important: a cloud service provider is not automatically a processor. Its status depends on the purpose of each specific processing activity, and the same provider may simultaneously be a processor for one operation, a controller for another, and a joint controller for a third.
A Framework Built Around Three Purposes
Drawing on the criteria developed by the European Data Protection Board in its 2021 Guidelines 07/2020 on the concepts of controller and processor, the CNIL organises its analysis around three recurring purposes in the cloud context: (i) the provision of the service itself, (ii) the improvement of the service, and (iii) security “of” the cloud and security “in” the cloud. The CNIL is careful to note that this grid is a starting point, not a rigid template — it must be adapted to reflect the actual relationship between the parties, and where doubt remains, the reasoning behind the qualification chosen should be documented and justifiable.
Service Provision: The Default, and Its Limits
For the core service itself, the default position is unsurprising: the client determines the purposes of the processing (e.g., managing customer relationships through a cloud-based CRM) and retains essential control over the means — it chooses its provider, and keeps some latitude over configuration, data selection, retention and local backups. The provider, processing data on the client’s instructions to deliver the service, therefore acts as a processor. Crucially, the CNIL stresses that a provider’s practical control over most operational means does not, by itself, turn it into a controller.
That said, the picture can change. Where a single operation — typically the deployment of trackers — serves both the client’s purposes (audience measurement) and the provider’s own purposes (improving its product), the CNIL considers that joint controllership may apply to that specific operation, even though each party remains separately responsible for whatever it does afterwards with the data for its own purpose.
Service Improvement: Three Possible Outcomes
Service improvement is where qualification becomes genuinely fact-dependent, and the CNIL sets out three scenarios. First, the provider may be sole controller where it alone defines both the purpose and the means of the improvement — typically when the analysis is provider-initiated, draws on aggregated data from multiple clients, and the client has no visibility into or influence over what is being optimized. Second, the client may be controller and the provider processor where the improvement is requested by, and benefits, a specific client who defines the objective and can issue instructions — for instance, a bank asking its cloud host to analyze usage data to speed up its banking app. Third, joint controllership arises where provider and client jointly design the objective and the essential means of an improvement that serves both their interests — illustrated by the CNIL’s example of a SaaS ticketing provider and an energy-sector client jointly redesigning a ticket-prioritization workflow.
Security “Of” and “In” the Cloud
The guidelines also draw a now-familiar but operationally important distinction between security “of” the cloud — the provider’s own infrastructure-level measures (physical access, patching, network filtering) — and security “in” the cloud — the client-side measures applied to data hosted on the service (encryption, access management, key control). The two are interdependent: a flaw on one side can undermine the other. As a rule, the provider is controller for personal data processed to secure its infrastructure as a whole (administrator logs, telemetry, anomaly detection), since it alone defines the purpose and the technical means. The client remains controller for security measures it configures within its own environment, with the provider acting as processor. Joint controllership can nonetheless emerge where a client negotiates highly specific security requirements that shape the provider’s overall infrastructure security.
A View Shared Beyond France
The CNIL’s reminder that “processor” is not the cloud provider’s default status echoes a position other EU supervisory authority has already reached. In its decision in case 0612-23/2019/192, the Slovenian supervisory authority (Informacijski pooblaščenec) examined a cloud computing provider acting as an intermediary between clients and various data sources. The provider had argued it was a mere processor acting on its clients’ instructions. The Slovenian authority disagreed: because the provider determined the technical means by which data was requested, handled, transmitted and sub-processed — and because its clients had no real ability to influence those technical and organisational measures — both parties were found to jointly determine the purposes and means of the processing. The provider was accordingly ordered to put in place a joint-controllership arrangement under Article 26 GDPR.
Read alongside the CNIL’s guidelines, the Slovenian decision is a useful reminder that this is not merely a French theoretical exercise: where a cloud provider retains effective control over the technical architecture of a service — particularly the security measures protecting it — and the client cannot meaningfully shape or audit those choices, supervisory authorities across the EU are willing to look past contractual labels and find joint controllership instead.
Practical Takeaways
For both providers and clients, the lesson is the same: qualification cannot be settled once and for all in a master services agreement. It must be assessed processing by processing — service delivery, service improvement, security of and in the cloud — and revisited as a project evolves. Where the analysis is genuinely close, documenting the reasoning is not a formality; as both the CNIL and the Slovenian precedent show, it may be the only thing standing between a processor clause and a regulator’s finding of joint controllership.
Aurélie Banck, Directeur de la conformité et DPO, PAPREC GROUP
2https://gdprhub.eu/index.php?title=IP_(Slovenia)_-_0612-23/2019/19