The European Data Protection Board ('EDPB') issued, on 18 January 2023, a report on the Coordinated Enforcement Action regarding the use of cloud-based services by the public sector. In particular, the report highlights the aggregate findings of the supervisory authorities ('SAs') participating in the Coordinated Enforcement Framework ('CEF') set up by the EDPB to streamline enforcement cooperation. Notably, the report outlines particular attention be paid by public authorities at the pre-contractual phase relating to the performance of a Data Protection Impact Assessment ('DPIA') by cloud based service providers ('CSPs'), and the role of public authorities and CSPs. Likewise, the report provides, with regards to contracts themselves, that public bodies exhibited poor knowledge of relevant issues, including how to control sub-processors, and that public authorities faced challenges relating to international data transfers.

Accordingly, the report provides that public authorities and cloud service providers should take into account when concluding agreements, among other things:

• the carrying out of DPIAs;
• the clear and unequivocal determination of the roles of each party to an agreement;
• ensuring CSPs act only on behalf of and according to the instructions of the public authority, alongside identifying where the CSP acts as a controller;
• ensuring a meaningful way to object to new subprocessors is possible;
• cooperating with other public authorities in negotiating with CSPs;
• carrying out a review to assess if processing is performed in accordance with the DPIA;
• identifying which data transfers may take place in the context of routine services provisions, and in case of processing of personal data for CSPs own business purposes, ensure the provisions of Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') are met; and
• verifying the conditions under which the public authority is allowed to and can contribute to audits to ensure that they are in place.

Notably, the report was adopted in the course of the EDPB's January 2023 plenary meeting, in which the EDPB also adopted a report on work undertaken by the Cookie Banner Taskforce, and discussed the European Commission's draft adequacy decision for the EU-U.S. Data Privacy Framework.

You can read the report here.

UPDATE (25 January 2023)

Spain: AEPD issues statement on participation to CEF on use of cloud-based services

The Spanish data protection authority ('AEPD') issued, on 24 January 2023, a statement on its participation in the CEF, set up by the EDPB, regarding the use of cloud-based services by the public sector. In particular, the AEPD outlined that it had studied 12 public bodies across a range of sectors, including health, finance, taxes, education, and IT, by evaluating their answers to a questionnaire on GDPR compliance challenges when using cloud services in the development of their activities.

You can read the press release, only available in Spanish, here.

UPDATE (26 January 2023)

Baden-Württemberg: LfDI Baden-Württemberg issues statement on participation to CEF on use of cloud-based services

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 25 January 2023, a statement on its participation in the CEF, set up by the EDPB, regarding the use of cloud-based services by the public sector. More specifically, the LfDI Baden-Württemberg noted that it requested the opinion of the State Authority IT Baden-Württemberg ('BITBW'), i.e. the central IT service provider, on various data protection aspects of cloud services.

In this regard, the LfDI Baden-Württemberg outlined that it will continue to support the BITBW in an advisory capacity and, where necessary, provide specific information on optimising compliance with data protection law. Further, the LfDI Baden-Württemberg explained that it will also incorporate the results of the coordinated enforcement action into its own practices.

You can read the press release, only available in German, here.

UPDATE (22 February 2023)

Italy: Garante issues statement on participation to CEF on use of cloud-based services

The Italian data protection authority ('Garante') issued, on 21 February 2023, a statement on its participation in the CEF, set up by the EDPB, regarding the use of cloud-based services by the public sector. In particular, the Garante higlighted that, in the Italian context, a general 'lack of awareness' emerges on transfers to third countries and on requests for access to data stored in the EEA by public authorities of third countries, as well as on the possible further processing of data carried out by cloud service providers through telemetry. Moreover, the Garante stated that another sensitive issue concerns auditing, detailing that some entities have complained that cloud providers do not allow auditing and inspection activities to take place and that it is difficult to agree on specific clauses.

You can read the press release, only available in Italian, here.