The Danish Data Protection Agency is testing the use of cloud solutions
The Danish Data Protection Agency has initiated supervisory visits with the use of the cloud services in two companies following its updated guidance on the subject. Cloud solutions is a necessity in most companies, and is, naturally, therefore also an important focus area on from a data protection perspective. On supervisory visits, companies should be prepared for a series of specific questions on the use of the services.
Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-resources as part of the daily operations.
However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.
Companies are accountable in the event of a cloudburst
Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:
- Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
- Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
- Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
- International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)
During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.
IUNO’s opinion
The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it difficult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.
IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.
[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]
Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-resources as part of the daily operations.
However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.
Companies are accountable in the event of a cloudburst
Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:
- Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
- Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
- Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
- International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)
During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.
IUNO’s opinion
The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it difficult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.
IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.
[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]
Similar
Draft bill to ensure responsible use of AI
GDPR fines must be calculated based on total worldwide annual turnover
Review and use of private e-mails led to severe criticism
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine