Image by macrovector on Freepik
The European Data Protection Board (EDPB) Report provides the recommendations for the public sector organisation when using cloud-based products and services which could be a good reference for the private sections.
Cloud computing in this Report refers to “paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand” – ISO 17788. In other words from IBM, it is “on-demand access, via the internet, to computing resources – applications, servers (physical servers and virtual servers), data storage, development tools, networking capabilities, and more-hosted at a remote data centre managed by a cloud services provider (CSP)”.
In its conclusion, the Report emphasised the obligation of controllers using cloud services, the importance of conducting a Data Protection Impact Assessment (DPIA) and of signing a contract or other legal acts in compliance with the requirements of GDPR and other juridical issues as follows:
- Carry out a DPIA;
- Ensure that the roles of the involved parties are clearly and unequivocally determined;
- Ensure the CSP acts only on behalf of and according to the documented instructions of the
public body and identify any possible processing by the CSP as a controller; - Ensure that a meaningful way to object to new sub processors is possible;
- Ensure that the personal data are determined in relation to the purposes for which they are
processed; - Promote the Data Protection Officer (DPO)’s involvement;
- Cooperate with other public bodies in negotiating with the CSPs;
- Carry out a review to assess if processing is performed in accordance with the DPIA;
- Ensure that the procurement procedure already envisages all the necessary requirements to achieve compliance with the GDPR;
- Identify which transfers may take place in the context of routine services provision, and in case of processing of personal data for the CSPs’ own business purposes (see related point) and ensure Chapter V provisions of the GDPR are met, also by identifying and adopting supplementary measures when necessary;
- Analyse if a legislation of a third country would apply to the CSP and would lead to the possibility to address access requests to data stored by the CSP in the EU;
- Examine closely and if necessary renegotiate the contract;
- Verify the conditions under which the public body is allowed for and can contribute to audits and ensure that they are in place.
Full text of the Report: