Data protection and security with cloud providers
Cloud and data protection after "Schrems II"; do they still go together? Yes, if certain rules are observed, this is still possible. This blog post briefly outlines what exactly needs to be considered when it comes to data protection cloud providers.
"Schrems II" and the new standard contractual clauses
In the "Schrems II ruling", the European Court of Justice determined that the GDPR also applies in cases where access by a country's authorities or intelligence services may occur for reasons of national security. This applies to the USA, the home country of the major cloud providers, and is diametrically opposed to the basic idea of data protection.
A first step towards solving the problem is to conclude standard contractual clauses with the data importer. In this way, data protection, cloud and GDPR can still be brought together. The EU Commission published new standard contractual clauses in an implementing decision on 4 June 2021 and determined that an effective level of protection can be established through additional measures such as anonymization or encryption, whereby the key should lie with the data exporter.
Contents of the new standard contractual clauses
The new standard contractual clauses combine general clauses with a modular approach. Module 2 is particularly interesting for companies that value data protection and data security in the cloud: EU controller to processors in a third country.
In addition to the total of 18 clauses, Annexes I-III must also be observed. Here, among other things, a comprehensive and specific description of the data transfer must be provided, the technical and organizational measures of the data importer must be specifically described and any sub-processors must be listed.
In Module 2, the data importer is obliged to comply with the requirements of the GDPR. In line with its role as a processor, its central obligation to the data exporter is emphasized.
Transfer Impact Assessment
One of the key innovations in the new standard contractual clauses can be found in clause 14: "Local laws and customs that affect compliance with the clauses". There is now an obligation to carry out a "transfer impact assessment", i.e. a comprehensive, case-by-case data protection impact assessment. The following control question must be answered: Can and will the cloud provider (data importer) actually fulfill its contractually imposed obligations under the GDPR?
Assessment criteria include the following
- The circumstances of the transfer, the actors involved, the categories of personal data transferred, the transmission channels used and the storage location.
- Relevant legal provisions and practices of the third country, in particular those standards that permit the disclosure of data to authorities and intelligence services or their access to personal data.
- According to recital 19 sentence 2 of the implementing decision, a third country standard that is contrary to the standard contractual clauses does not per se constitute a requirement that the transfer must not take place. This malus can be "cured" by encryption or anonymization.
And now?
By 27.12.2022, all data transfers to a third country must be converted to the new standard contractual clauses and supplementary, additional measures, unless an adequacy decision or derogation applies. 2B Advice is happy to support you with this challenge. We help you to consistently comply with the GDPR. We support you in ensuring data protection and data security at all times, even in the cloud.