The Office of the Personal data Protection shall face with the question on if and how the cloud services shall be used in compliance with personal data protection legislation, especially if personal data shall be stored or processed.

Even if those questions shall be possible replying only in relation to the specific situation in each cases, the Office of Personal Data Protection has put together on its website the most important questions and requirements on personal data protection for cloud services which shall be taken into account when a particular system is assessed or selected. In addition, the Office of Personal Data Protection will be pleased to provide advices on all the aspects of this assessment and on the eventual necessary adjustment.

Cloud services

The Personal Data Protection Office shall face with the question on if and how cloud services can be used in compliance with personal data privacy legislations, especially if they shall be stored or processed.

By a legal point of view, both the General Data Protection Regulation (GDPR) and the Liechtenstein Data Protection Legislation (DGS) are generally formulated in a neutral way from the technological point of view. This means that rules included are applied to any systematical or (partial) automated processing of personal data, no matter what technology is used for doing this. There are not special rules for cloud services. On the contrary, this means that the personal data legislation does not prohibits cloud services, but it establishes rules that shall be observed.

From a technical point of view, it shall be noticed that different forms of cloud services ((“Infrastructure as a Service” (IaaS), “Platform as a Service” (PaaS), “Software as a Service” (SaaS) ecc. .) and models (“Public”, “Private”, “hybrid” ecc.). in addition, a lot of those services can be setting individually in terms of settings and architecture (for example, server positions). Finally, the providers provide a wide range of license models and service’s contract.

Due to the legal and technical framework mentioned, the Personal Data Protection Office can not release declarations or reccomandations generally applicable to single systems, providers or license models. In order to assess the compliance to the personal data protection of a specific solutions, it is always necessary to consider the specific situation in each single case. For this reason, the most important questions or requirements on the personal data protection for cloud services that shall be taken into account during the assessment or the selection of a particular system shall be resumed after.

1. Personal data protection legislation (article 5 GDPR)

Personal data protection principle, pursuant to article 5 GDPR, shall be respected each time that personal data are processed. They include in particular:

• Lawfulness of data processing
• Processing in good faith
• Transparency of data processing
• Predisposition to data processing
• Minimization of data
• Accuracy of data
• Data storage limit
• Data integrity and confidentiality
• Accountability of the controller

Before any data processing, whether in the cloud or elsewhere, you should therefore ensure that the above principles are respected or that technical and organizational measures have been taken to ensure that they are

2. Contract of orders processing (article 28 GDPR)

in the majority of cases, cloud services providers are qualified as processors according to article 28 of the GDPR. It is necessary to end with you a contract of personal data protection.

3. Technical and organizational measures (article 32 of the GDPR)

Cloud services shall be projected and settled in order that security of data is adequate to the risks of data subjects, guarantee in each processing and in the higher measure possible. This can be done by organizational and technical measures. When adequate measures are elected, not only the state of art, implementation costs, type, ambit, circumstances and purposes of the personal data protection planned for having taken in mind, but also the different probability of event and the seriousness of the risk, for affected people. Both the data subject pursuant to the legislation of personal data protection and the data controller, in this case the cloud service provider, are obliged to do it.

Talking about cloud services, those specific measures can include, for example:

• The pseudonymization and the encryption of data before they are processed into the cloud,
• An encrypted transference of data on the cloud (for example by VPN),
• The ability of the provider to guarantee the confidentiality, the integrity, the availability and the resilience of cloud service or personal data processed in a long term,
• The ability of the provider to repristinate quickly the availability of data and to have the access in case of physical or technical accident,
• A control of access and authorizations optimized (IAM) for the access / access to cloud data,
• An optimized password management,
• The correct setup of settings on the security,
• Registration and control of the optimized security
• A procedure of the exams, assesses and the periodical assessment of the efficient of those measures,
• And so on

Other considerations which hide by a technical and organizational point of view into the selection and the setting of a specific cloud service are the specific design of the license and the service contract, the election of the server location, aspect of the international transference of data (see at point 5), etc.

Note: the agency of the European Union on the Informatic Security (ENISA) has published a guideline on the cloud security for small and medium enterprises. The guideline explains both opportunities and risks relevant for the security and suggest the possible measures in order to reduce risks.

Exist also right areas which prevent the processing and the storage of data in Germany, for example the article 27, letter d) of the Duty of Diligence Act. In any case, international data transfer via cloud with a server located abroad should be avoided here.

4. Impact assessment of personal data protection (article 35 of the GDPR)

If it is probably that the personal data processing in a cloud service involves an high risk for data subjects due to the type of the portability, circumstances and the purposes of the processing, this shall be carried out before an impact assessment on personal data protection pursuant to article 35 of the GDPR.

This is the same also if, for example, special categories of personal data pursuant to article 9 of the GPDR or those one related the criminal sanctions according to article 10 of the GDPR which shall be processed on large scale in the cloud.

5. International transference of personal data (Article 44 of the GDPR)

If the server on which has been executed the cloud service selected is found in a member state of the European Union / European Economic Area shall be observed also rules into the article 44 and following.

In a third country for which the EU Commission has issued an adequacy decision under Article 45 of the GDPR (such as Switzerland), the transfer of data is largely harmless. For all other cases, adequate safeguards must be ensured in accordance with Article 46, letter f) of the GDPR to ensure a level of data protection equivalent to the rules applicable in this country. In any case, the interested parties must be informed in advance of the provision of data and the relative decision of adequacy or the appropriate guarantees chosen .

Note: with the ruling of the European Court of Justice Schrems II of 16 July 2020, the adequacy decision with the United States, the EU-US privacy shield, was declared invalid. A data transfer to the United States is therefore not as easily as possible, which should be taken into account when choosing the location of the server, especially from American providers.

International transfer of data

Personal data are not only within the EU/ EEA area, but also third countries or international organizations 1are transmitted, strict rules apply in accordance with the General Data Protection Regulation (GDPR).

Only in this way can the high level of protection not be effectively undermined by transferring data to a third country not subject to the GDPR. Therefore, personal data may only be transmitted to a recipient in a third country if – in addition to compliance with all other provisions of the GDPR – the third country or recipient ensures a level of data protection comparable to that of the EU / EEA Area (Article 44 of the GDPR).

To ensure this, an EU Commission Adequacy Certificate (“safe third countries”) or other appropriate safeguards for data protection and the rights of data subjects (other “unsafe third countries”) are required. The most famous tools of this type are:

• Adequacy decision of the EU Commission (Article 45 of the GDPR )
• EU-US Privacy Shield (an m 07/16/2020 explained by the Court of Justice as invalid)
• EU Standard Data Protection Clauses (Article 46 of the GDPR )
• Binding business rules (BCR) (Article 47 of the GDPR )

In addition, article 46 of the GDPR lists other appropriate safeguards (e.g. approved rules of conduct, certifications), which, however, have hitherto become less important in practice.

Finally, the GDPR recognizes certain exceptions for certain cases of data transfer to third countries if there is neither an adequacy decision nor other appropriate safeguards. For example, a transfer limited to an individual case may still take place under certain circumstances and conditions, for example if the data subject has given consent, if it is necessary for the performance of a contract, whether there is an important public interest or whether it is necessary to enforce legal rights (Article 49 of the GDPR).

The provisions of the GDPR for transfers of data to third countries are applicable to each personal data transfences, no matter what is carried out by a data processor or by a data controller, no matter what the recipient is a state body or private one and no matter that the fact that the effective transmission or the sharing of and irrespective of whether the data are actually transmitted or only disclosed through access rights, and the rules also apply to any further transfer of personal data by the recipient to another third country.

SOURCE: