Cloud Computing can be defined as a service structure that enables applications to be run via the internet or to keep the data of the user accessible on the remote server at any time[1]. As a rapidly developing technology, Cloud Computing brings brand new dimensions to companies and individuals; it provides computer resources and internet-based computing services shared among users. In this respect, Cloud Computing is one of the basic tools that will reshape trade and commercial enterprises in a globalizing world. Therefore, it is of great importance to grasp the legal infrastructure of this emerging information system, which is still under development.

The Cloud Computing service is basically offered in three ways by the service provider based on an agreement with the “user” [2]: Infrastructure Service (IaaS)[3], Platform service (PaaS)[4], Software service (SaaS)[5]. Although the service that is the subject of the contract is the activity of storing virtualized data ready for processing, it would not be the right approach to characterize this type of contract as a “safekeeping contact” in terms of the Turkish Code of Obligations (“TCO”). This is because there are also undertakings of the service provider regarding software and maintenance services in cloud computing contracts. Therefore, it would be more appropriate to define Cloud Computing contracts as a type of contract that is not specifically regulated by law (sui generis); they are mixed contracts which contains different elements of various contract types[6].

Points to Take into Consideration in Cloud Computing Contracts

Liability: Sometimes, Cloud Computing service can also be obtained by end users through sub-service providers. In such cases, the direct or indirect responsibility relationship between the Cloud Computing Provider and the sub-service providers must be determined clearly. As per articles 115[7] and 116[8] of TCO, in cases where there is a non-liability clause in the agreement which eliminates the responsibility of the service providers on gross negligence, these clauses shall be deemed null[9]. As it is stated in the mentioned articles, it would be still possible to eliminate the service provider’s responsibility on slight negligence.

Applicable Law: The universal sharing feature brought by Cloud Computing also raises the problem of where shared data is stored (mainly because of cross-border data flow). The biggest problem in this regard can be expected to occur especially for companies that will serve the European Union (“EU”) countries. As a matter of fact, according to the EU Data Protection Directive, the companies which will establish their Cloud Computing services outside the EU countries or rent their servers outside from the EU countries, provide Cloud Computing services must be at the data protection security level determined by the laws of the EU countries where the servers are located[10].

It is possible to put an arbitration clause in the Cloud Computing agreements for the resolution of disputes arising from the agreement. However, according to the established jurisprudence of the Court of Cassation, if the user is a “consumer”[11], the arbitration clause included in the contract is considered as an unfair condition as it will make it difficult for the consumer to seek his/her rights[12].

Protection of Personal Data and Data Transfer: Issues such as consent to the transfer of data to service providers and data centers, consent to the processing of data, and conditions for transferring data to public authorities should be evaluated and discussed in detail. In this context, while preparing the Cloud Computing Contracts, it is essential to act in accordance with the Personal Data Protection Law No. 6698 (Law No.6698) of Turkey and General Data Protection Regulation (GDPR)  and it is necessary for the data controller to evaluate whether the security measures taken by the cloud storage service provider are sufficient. Therefore, it is recommended that the personal data stored in the cloud be known in detail, backed up, synchronized and if necessary, two-step authentication control is applied for remote access[13]. During the storage and use of personal data contained in the said systems, encryption keys must be used separately by cryptographic methods[14]. When the cloud computing service relationship ends; all copies of encryption keys that may be used to make personal data available must also be destroyed[15].

Author: Deniz Çelikkaya

[1] Değirmenci Olgun, “Bulut Bilişim ve Beraberinde Getireceği Hukuksal Sorunlar Üzerine Görüşler”,, Access Date: 21.02.2020; “National Institute of Standards and Technology: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”,, Access Date:21.02.2020.

[2] Yüksel Hakan, “Bulut Bilişim El Kitabı”,, p.8, Access Date: 23.02.2020.

[3] IaaS is a service that provides standardized data storage and other computing capabilities over the network. In this service model, the user can configure some network components such as the processor and storage, and can install the operating system and applications that she/he needs but does not have management and control over the infrastructure.;, p. 9, Access Date: 23.02.2020.

[4] PaaS is a service model which the necessary technological infrastructure by a service provider is established with a platform where the customer can develop and run his own application. Except for the application that the user installs himself, there is no control and management possibility on the components that make up the platform infrastructure. (e.g. Google Apps);, p.8, Access Date: 23.02.2020.

[5] SaaS is a service model which can support multiple end users or organizations simultaneously. With this service, organizations can use applications on cloud computing services while not dealing with problems such as maintenance and licenses. (e.g. Google Drive, Microsoft Office);, p.8, Access Date: 23.02.2020.

[6] , p.6-7.

[7] TCO Article 115: “A previously made agreement to the effect that the debtor shall not be responsible for gross negligence shall be strictly null and void.”.

[8] TCO Article 116: “Even if the debtor has assigned the fulfilment of the debt or the use of the right extending from the debt relationship to a person who lives with him or his assistants like his employees, the debtor shall be responsible for compensating the losses given to the other party during execution of the work by them. Responsibility extending from the actions of the assisting persons may be excluded completely or partially with a previously signed agreement.”

[9] Başgül Mürsel, “Bulut Bilişim Kapsamında Ortaya Çıkabilecek Hukuki Sorunlar”, 6th International Information Security and Cryptology Conference, Ankara 2013, p.213, , Access Date: 21.02.2020.

[10] Yüksel Hakan, “Bulut Bilişim El Kitabı”,, p.21, Access Date: 23.02.2020.

[11] Consumer Protection Law Article 3: Any natural and legal person who is acting for purposes which are not related to his trade, business or profession.”

[12] Topaloğlu Mustafa, “Bulut Bilişimde Tüketicinin Korunması”,, p.9, Access Date: 22.02.2020.

[13], p.22.

[14] , s.13

[15] Ibid.