The European Data Protection Board (EDPB) published a report that consolidates the findings of all national supervisory authorities participating in the Coordinated Enforcement Action (CEF) on the use of cloud-based services by the public sector.
The challenges identified include performing a risk assessment regarding data protection and the roles of the parties in this regard, control of public bodies over sub-processors as well as challenges related to international data transfers and access by public authorities of foreign countries.
The EDPB emphasizes the need for public bodies to comply with the GDPR when using cloud-based services and, among other things, highlights points that must be considered when executing agreements with cloud service providers. These highlights include the involvement of the DPO, conducting a review to assess whether the processing is carried out under the DPIA, making sure that the roles of the parties involved are clearly determined, making sure that the personal data are required according to the purposes for which they are intended, and more.
Click here to read the 2022 Coordinated Enforcement Action Report on the use of cloud-based services by the public sector.