GDPR

Since you offer IaaS and PaaS services to an EU company, you will have access to personal data. You should be a data processor unless you have autonomy in the way you process personal data. According to Chapter V in GDPR, you need to do the data transfer via one of the accepted transfer mechanisms: adequacy decision (Art 45 GDPR), binding corporate rules (Art 47 GDPR), standard contractual clauses, approved code of conduct, approved certification mechanism (Art 46 GDPR) or Derogations (Art 49 GDPR). My recommendation is to use the new EU Standard Contractual Clauses for Controller to Processor, adding the necessary additional technical and organizational measures to offer the same level of protection for transferred personal data as it is offered under GDPR in the EU.

Please read more details:

• Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 45– Transfers on the basis of an adequacy decision: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46– Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47– Binding corporate rules: https://advisera.com/gdpr/binding-corporate-rules/
• Article 49– Derogations for specific situations: https://advisera.com/eugdpracademy/gdpr/derogations-for-specific-situations/
• Cross Border Personal Data Transfer Procedure: https://advisera.com/eugdpracademy/documentation/cross-border-personal-data-transfer-procedure/
• EU GDPR Toolkit (containing all documentation for GDPR Compliance): https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/