What are the EDPS recommendations for the use of cloud services by public authorities?

The European Data Protection Board (EDPB) recently published a report on the use of cloud services by public authorities in 22 national supervisory bodies. Specifically, this report advises data controllers using cloud services to follow 11 recommendations.

What are these recommendations?

1. Conduct a Data Protection Impact Assessment (DPIA) to identify additional security measures needed to ensure compliance with applicable laws and regulations. Only cloud service providers offering sufficient guarantees should be selected.
    
2. Ensure that the roles of the parties involved are clearly and unambiguously determined. Public authorities should clearly define their roles with regard to the use of cloud services through an internal assessment or as part of a DPIA.
    
3. The cloud service provider should only act on behalf of and under the instructions of the public authority. The public authority must verify that there is still a valid legal basis for any transfer of personal data to a cloud service provider acting as a controller, either alone or jointly.
    
4. Check the current and future subcontractors of the cloud provider. Indeed, it should be ensured that an appropriate procedure is agreed upon to potentially object to new subcontractors.
    
5. Minimise the amount of data processed for clear and explicit purposes. It must be ensured that personal data are not further processed for purposes incompatible with the original purposes.
    
6. Reassess the processing operations in accordance with the impact assessment to update it if necessary.
    
7. Ensure that the public procurement procedure includes all necessary requirements. This is particularly important to ensure to ensure GDPR compliance.
    
8. International data transfers by the supplier must be GDPR compliant and may be restricted by the public authority. Public authorities must require the supplier to use an appropriate transfer tool and, if necessary, to take appropriate additional measures.
    
9. Review the contract with the supplier in detail and, if necessary, renegotiate it to ensure GDPR compliance.
    
10. Check the possible conditions for an audit of the supplier, whether carried out internally or by a commissioned external auditor.
     
11. Include the DPO from the very beginning of a project, particularly in the analysis of contracts and in all the steps outlined in this document.
     

The full EDPB report is available on the EDPB website.