Public bodies should take into account the possible sensitive nature and large amounts of data processed by public
bodies. But how to guarantee the fundamental right to the protection of personal data? The EDPB therefore underlines the need for public bodies to act in full compliance with the GDPR when using cloud-based products or services. In this regard, below report also provides a list of points of attention that stakeholders should take into account when concluding agreements with CSPs:
• Carry out a DPIA;
• Ensure that the roles of the involved parties are clearly and unequivocally determined;
• Ensure the CSP acts only on behalf of and according to the documented instructions of the public body and identify any possible processing by the CSP as a controller;
• Ensure that a meaningful way to object to new sub processors is possible;
• Ensure that the personal data are determined in relation to the purposes for which they are processed;
• Promote the DPO’s involvement;
• Cooperate with other public bodies in negotiating with the CSPs;
• Carry out a review to assess if processing is performed in accordance with the DPIA;
• Ensure that the procurement procedure already envisages all the necessary requirements to achieve compliance with the GDPR;
• Identify which transfers may take place in the context of routine services provision, and in case of processing of personal data for the CSPs’ own business purposes and ensure Chapter V provisions of the GDPR are met, also by identifying and adopting supplementary measures when necessary;
• Analyse if a legislation of a third country would apply to the CSP and would lead to the possibility to address access requests to data stored by the CSP in the EU;
• Examine closely and if necessary renegotiate the contract;
• Verify the conditions under which the public body is allowed for and can contribute to audits and ensure that they are in place