Folks, i distribute my post on LinkedIn:
<<
GDPR violates general SOA principle in Cloud: Until GDPR released, Cloud providers/services could pretend and/or tried to seek for becoming real Services in a Service-Oriented Ecosystem (SOE).
The GDPR's Article 28 has crashed this intention by ignoring the fundamental Principle of Independence among Cloud Services. The Principle states that each service deals with only its immediate customers and decides on possible contracts with them. As a result, the "Knight Rules of Service Relationships" were set saying among others, "a provider of my provider is not my provider" and " a consumer of my consumer is not my consumer". I.E. a consumer does not need to know what other services its immediate service is useing, when and what for.
The Article 28 requires, "The processor shall not engage another processor without prior specific or general written authorisation of the controller". In SOE, a regulation may only request the controller (customer) to set a contract with the processor (provider) in a way that obliges the latter to inform the controller of any further processing and the processor (provider) can deny it; a regulation cannot dictate an independent service to accept a contract proposed by consumer (controller).
>>
I've reported this problem to EU ICO and now awaiting for a reaction.
Cheers,
- Michael