Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: EDPB announces launch of first coordinated enforcement action on use of cloud by public sector

The European Data Protection Board ('EDPB') announced, on 15 February 2022, that it had launched today its first coordinated enforcement action. In particular, the EDPB stated that in the coming months, 22 national supervisory authorities across the European Economic Area, including the European Data Protection Supervisor ('EDPS') will launch investigations into the use of cloud-based services by the public sector. In addition, the EDPB noted that this series of actions follows the EDPB's decision to set up a Coordinated Enforcement Framework ('CEF') in October 2020. Furthermore, the EDPB stated that the CEF is a key action of the EDPB under its 2021-2023 Strategy, together with the creation of a Support Pool of Experts ('SPE') and stated that the two initiatives aim to streamline enforcement and cooperation among Supervisory Authorities ('SAs'). Moreover, the EDPB outlined that over 75 public bodies in total will be addressed across the EEA, including EU institutions and covering a wide range of sectors, such as health, finance, tax, education, and central buyers or providers of IT services.

In addition, the EDPB stated that building on common preparatory work by all participating SAs, the CEF will be implemented at the national level in one or several of the following ways:

  • fact-finding exercise;
  • questionnaire to identify if a formal investigation is warranted;
  • commencement of a formal investigation; or
  • follow-up of ongoing formal investigations.

Furthermore, the EDPB outlined that SAs will especially explore challenges by the public bodies with General Data Protection Regulation (Regulation (EU) 2016/679) compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship. Moreover, the EDPB stated that the results will be analysed in a coordinated manner and the SAs will decide on possible further national supervision and enforcement actions. Lastly, the EDPB noted that the results will be aggregated, generating deeper insight into the topic and allowing targeted follow-up at the EU level and that the EDPB will publish a report on the outcome of this analysis before the end of 2022.

You can read the press release here.

The following data protection authorities have also issued statements regarding the launch of the EDPB's first coordinated enforcement action:

  • Data State Inspectorate ('DVI'). You can read the press release, only available in Latvian, here;
  • Belgian Data Protection Authority ('Belgian DPA'). You can read the press release, only available in French here, in Dutch here and in English here;
  • Spanish data protection authority ('AEPD'). You can read the press release, only available in Spanish, here;
  • French data protection authority ('CNIL'). You can read the press release here;
  • Italian data protection authority ('Garante'). You can read the press release, only available in Italian, here;
  • Icelandic data protection authority ('Persónuvernd'). You can read the press release, only available in Icelandic, here;
  • Dutch data protection authority ('AP'). You can read the press release, only available in Dutch, here;
  • Office of the Data Protection Ombudsman ('the Ombudsman'). You can read the press release here;
  • Office for Personal Data Protection ('UOOU'). You can read the press release, only available in Czech, here;
  • Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). You can read the press release, only available in German, here;
  • Baden-Württemberg data protection authority ('LfDI Baden-Württemberg'). You can read the press release, only available in German, here;
  • Bavarian data protection authority ('BayLfD'). You can read the press release, only available in German, here;
  • State Data Protection Inspectorate ('VDAI'). You can read the press release, only available in Lithuanian, here;
  • Portuguese data protection authority ('CNPD'). You can read the press release, only available in Portuguese, here;
  • Slovak Republic supervisory authority ('ÚOOÚ'). You can read the press release, only available in Slovak, here
  • Hellenic Data Protection Authority ('HDPA'). You can read the press release, only available in Greek, here;
  • The European Data Protection Supervisor ('EDPS'). You can read the press release here;
  • Data Protection Inspectorate ('DPI'). You can read the press release, only available in Estonian, here;
  • Swedish Authority for Privacy Protection ('IMY'). You can read the press release, only available in Swedish, here.; and
  • The Office of the Commissioner for Personal Data Protection ('the Commissioner'). You can read the press release, only available in Greek, here; and 
  • The Slovenian Information Commissioner ('IP'). You can read the press release here, only available in Slovenian, here