The European Data Protection Board (EDPB) has published a report on its coordinated enforcement activities in relation to the use of cloud-based services by public sector bodies. The report provides public authorities using cloud services with a set of recommendations ("Points of Attention"). Some background: in 2022, 22 data protection authorities across the European Economic Area (including the European Data Protection Supervisor) conducted coordinated investigations to examine how public bodies use cloud-based services. In total, around 100 public sector bodies were involved in the inquiries. They spanned the European institutions and different sectors, such as healthcare, finance, taxation, education, and providers and purchasers of IT services. The joint report is a summary of the findings of all enforcement authorities in the Coordinated Enforcement Framework. Although the specific investigations are still ongoing, the report provides guidance on how to check GDPR compliance when using cloud-based services – and not just for public authorities. Eight challenges identified by regulators during the Coordinated Enforcement Framework are given particular attention. These include pre-contractual issues related to conducting a data protection impact assessment (and/or risk assessment), as well as the role of parties and audit rights. Click here for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.