Quick check

EU Data Protection Checklist

in the ClouD

Checklist EU Data Protection in the ClouD

  • Legal basis for processing: You must ensure that you have a legal basis for processing personal data in the cloud. For example, this may be the consent of the data subject, or it may be necessary due to a contract in order to provide the service. Make sure you have a clear legal basis for processing before storing personal data in the cloud.

  • Information requirements: You must inform data subjects that their data will be stored in the cloud and what type of data will be stored. This should be done in a privacy statement or in a separate notification.

  • Security measures: You must take appropriate technical and organizational measures to protect personal data in the cloud. This may include, for example, encrypting data or restricting access to the data.

  • Commissioned processing: If you use a cloud provider that processes personal data on your behalf, you must ensure that a commissioned processing contract (CPC) is in place. This contract should include the requirements of the GDPR for processors. With non-European cloud providers, an agreement in accordance with EU Standard Contractual Clauses (SCC) must also be concluded.

  • Data backup: You must perform regular data backups to ensure that personal data can be restored in the event of data loss or corruption.

  • Data subjects' rights: You must ensure that data subjects can exercise their rights under the GDPR, including the right of access, rectification, erasure and restriction of processing.

  • Data protection impact assessment: If you are planning large-scale processing of personal data in the cloud, you should conduct a data protection impact assessment to ensure that you identify any data protection risks and take appropriate measures to mitigate those risks.

It is important that you follow the requirements of the GDPR before storing personal data in the cloud. If you are unsure, feel free to contact me to make sure you comply with the DSGVO requirements.

Data protection & cloud = no contradiction!

Step 1: Is the provider in an EU country?

YES!!! There is a transfer to third countries in USA, China, ...

Actually, this is not allowed and intended.
But we have compiled some solutions for you here.

No!!! There is no transfer to EU foreign countries ::: that's perfect!!!

Please conclude a contract and a supplementary AV contract and off you go.

Step 2: There are exceptions and countries with level

With cloud providers from these countries, you do not have to worry about data protection law due to the third country regulation, because the level of data protection is considered adequate and equal to the EU:

  • Andorra 🇦🇩
  • Argentina 🇦🇷
  • Canada 🇨🇦
  • Faroe Islands 🇫🇴
  • Guernsey 🇬🇬
  • Israel 🇮🇱
  • Isle of Man 🇮🇲
  • Japan 🇯🇵
  • Jersey 🇯🇪
  • New Zealand 🇳🇿
  • Republic of Korea (South Korea) 🇰🇷
  • Switzerland 🇨🇭
  • Uruguay 🇺🇾
  • United Kingdom 🇬🇧

Step 3:
The transfer of personal data to the USA, India or China is prohibited.
******Solutions

Data protection also with emials

Get advice now without obligation

We help companies sort out their data protection issues and glitches, repair them and advise them accordingly to avoid heavy fines and hassles.

Free initial consultation

At a glance Opportunities and risks of the cloud

ChanCEN

  • Flexible and cost-efficient adjustment of resource utilization
  • Instead of fixed costs, variable costs "pay-per-use
  • Mobile work
  • "Bring Your Own Devise" (BYOD)
  • Depending on the type of cloud (see under Responsibilities), e.g. with Software as a Service, no own technical staff is necessary.
  • Rapid market launch of new products and services
doors, choices, choose-1767563.jpg

Risks

  • Vendor lock-in: Cloud provider changes its pricing model, customer wants to switch, but the costs for data transfer are so high that the switch is not worthwhile. So the customer has to accept the price increase.
  • Service level agreements from cloud providers never offer more than 99.9% availability. This is not really a problem, because it is not possible in in-house operation.
    But: There are no guarantees regarding data loss or
    manipulation.
  • Are the security objectives being achieved?
    Confidentiality: Can data be viewed by unauthorized persons?
    Integrity: Unnoticed accidental or intentional modification of data in the cloud
    Availability: Is it ensured that data or services can be used at any time?
  • Data protection and compliance:
    When is which data deleted?
    Which data may not be stored? E.g. health data
    How is access controlled?
    Is personal data in the cloud safe from unauthorized access?
  • Insider attacks by cloud provider employees and data theft

Data Protection Officer

KOWOLL PROTECTS CHECKLIST

Simply work with data safely and securely

Use our 8-point checklist here - unique and expressive
Privacy strategy conversation booking