Data protection and security with cloud providers

Cloud and Data protection according to "Schrems II"; does this still fit together at all? Yes, if certain rules are observed, this is still possible. This blog post briefly outlines what exactly needs to be considered when it comes to data protection cloud providers.

"Schrems II" and the new Standard contractual clauses

With the "Schrems II judgment", the European Court of Justice ruled that the GDPR also applies in cases where a country's authorities or intelligence services may gain access for reasons of national security. This applies to the USA, the home country of the major cloud providers, and is diametrically opposed to the basic idea of data protection.

A first step towards solving the problem is to work with the data importer Standard contractual clauses to conclude. Data protection, Cloud and GDPR will be merged after all. By implementing decision on 4.6.2021, the EU Commission adopted new Standard contractual clauses and found that additional measures such as Anonymization or EncryptionThe key should lie with the data exporter to ensure an effective level of protection.

Contents of the new Standard contractual clauses

In the new Standard contractual clauses general clauses are combined with a modular approach. Interesting for companies that focus on data protection and Data security in the Cloud Module 2: EU Controller to Processor in a Single Market is particularly important. Third country.

In addition to the total of 18 clauses, Annexes I-III must also be observed. Here, among other things, a comprehensive and specific description of the data transfer must be provided, the technical and organizational measures of the data importer must be specifically described and any sub-processors must be listed.
In module 2, the data importer is set to the specifications of the GDPR is obligated. In accordance with its role as a processor, its central obligation to the data exporter is emphasized above all.

Transfer Impact Assessment

One of the central innovations of the new Standard contractual clauses can be found in clause 14: "Local laws and customs that affect compliance with the clauses". There is now an obligation to carry out a "Transfer Impact Assessment", i.e. a comprehensive, case-by-case Data protection impact assessment. The following control question must be answered: Can and will the cloud provider (data importer) fulfill its contractual obligations under the GDPR actually comply?

Assessment criteria include the following

• Circumstances of the Transmissionthe actors involved, the categories of personal data transmitted, the transmission channels used and the storage location.
• Relevant legal provisions and practices of the third country, in particular those standards that prohibit the disclosure of data to public authorities and intelligence services or their access to such data. personal data allow.
• According to the second sentence of recital 19 of the implementing decision, a Standard contractual clauses The fact that the third country's legislation is contrary to the law does not per se mean that the transfer must not take place. Through Encryption or Anonymization this malus can be "cured".

And now?

By 27.12.2022, all data transfers must be transferred to a Third countryif no Appropriateness decision or an exemption is available, to the new Standard contractual clauses and supplementary, additional measures. 2B Advice is happy to support you with this challenge. We will help you to GDPR consistently. We support you in this, even in the Cloud, data protection and Data security at all times.