First European Report on the Use of Cloud Computing in the Public Sector From the Privacy Perspective

The Spanish DPA (AEPD) just published the conclusions of this first European report, coordinated by the European Data Protection Board, on the use of cloud in the public sector. This article summarizes its privacy and data protection implications.

The Agencia Española de Protección de Datos (AEPD) has  published a note on their participation “in the first coordinated action of European data protection authorities to analyze the use of cloud services by the public sector, an initiative carried out within the framework of the coordinated actions of the European Data Protection Board (EDPB)” according to their statement.

The report, which offers a European vision of the public sector in this matter, brings together the results of the 22 data protection authorities that have participated in the initiative as well as the European Data Protection Supervisor. The report provides a comprehensive vision to identify and promote best practices, detect possible deficiencies and make recommendations in the contracting and use of cloud services by public bodies. A hundred public bodies have been studied in all member countries, 12 of them analyzed by the AEPD. The report covers a wide range of sectors such as health, finance, taxes, education and information technology service providers. The purpose of this global report is to contribute to raising the level of compliance and the protection of citizens' personal data, not only at the national level but also in the whole of the EU.

Here’s a list of some of the recommendations for public bodies contained in the report:

  • Involve the data protection officer;
  • Carry out a Data Protection Impact Assessment;
  • Ensure that the roles of data controller and processor are clearly and unequivocally determined;
  • Ensure that the cloud computing provider acts as a processor following the instructions provided by the public body;
  • Ensure that the public body can object to other processors processing the data;
  • Ensure that personal data is only processed for the specified purposes;
  • Cooperate with other public bodies in the contracting of cloud providers;
  • Check if the processings are carried out in accordance with the impact assessment;
  • Identify if the cloud service provider performs the data processing in a country outside the EU. If this is the case, the regime of international data transfers according to the GDPR must be taken into account;
  • Analyze whether the legislation of the country of origin of the cloud service provider allows it to be required to access the data it stores in the territory of the EU;
  • Check that the public body has the possibility to carry out audits of the cloud service provider and ensure that they are carried out;
  • Examine the contract with the service provider and, if necessary, renegotiate it.

The data protection authorities, despite acknowledging the difficulties that public bodies may have in contracting cloud service providers with guarantees, highlight in the report the importance of complying with the requirements of the General Data Protection Regulation, taking take into account the nature and amount of personal data they handle.


Article provided by INPLP member: Belén Arribas (Belén Arribas, Abogada, Spain)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)