EDPB issues statement on coordinated enforcement action for use of cloud-based services.
The European Data Protection Board ('EDPB') issued, on 18 January 2023, a report on Coordinated Enforcement Action regarding the use of cloud-based services by the public sector. In particular, the report highlights the aggregate findings of the supervisory authorities ('SAs') participating in the Coordinated Enforcement Framework ('CEF') set up by the EDPB to streamline enforcement cooperation. Notably, the report outlines particular attention be paid by public authorities at the pre-contractual phase relating to the performance of a Data Protection Impact Assessment ('DPIA') by cloud based service providers ('CSPs'), and the role of public authorities and CSPs. Likewise, the report provides, with regards to contracts themselves, that public bodies exhibited poor knowledge of relevant issues, including how to control sub-processors, and that public authorities faced challenges relating to international data transfers.
Accordingly, the report provides that public authorities and cloud service providers should take into account when concluding agreements, among other things:
Accordingly, the report provides that public authorities and cloud service providers should take into account when concluding agreements, among other things:
- the carrying out of DPIAs;
- the clear and unequivocal determination of the roles of each party to an agreement;
- ensuring CSPs act only on behalf of and according to the instructions of the public authority, alongside identifying where the CSP acts as a controller;
- ensuring a meaningful way to object to new subprocessors is possible;
- cooperating with other public authorities in negotiating with CSPs;
- carrying out a review to assess if processing is performed in accordance with the DPIA;
- identifying which data transfers may take place in the context of routine services provisions, and in case of processing of personal data for CSPs own business purposes, ensure the provisions of Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') are met; and
- verifying the conditions under which the public authority is allowed to and can contribute to audits to ensure that they are in place.