EN
Technology

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Legal news
calendar 22 September 2022
globus Denmark

The Danish Data Protection Agency has initiated supervisory visits with the use of the cloud services in two companies following its updated guidance on the subject. Cloud solutions is a necessity in most companies, and is, naturally, therefore also an important focus area on from a data protection perspective. On supervisory visits, companies should be prepared for a series of specific questions on the use of the services.

Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-resources as part of the daily operations.

However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.

Companies are accountable in the event of a cloudburst

Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:

  • Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
  • Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
  • Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
  • International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)

During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.

IUNO’s opinion

The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it difficult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.

IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.

[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]

Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-resources as part of the daily operations.

However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.

Companies are accountable in the event of a cloudburst

Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:

  • Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
  • Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
  • Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
  • International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)

During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.

IUNO’s opinion

The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it difficult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.

IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.

[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)

Similar

logo
Technology

15 January 2024

Expensive right of access requests

logo
Technology

28 September 2023

Seven commandments when closing the business e-mail account

logo
Technology

19 September 2023

Unfair design practices resulted in a 345 million euro fine

logo
Technology

14 September 2023

Accessible personnel files resulted in a data breach

logo
Technology

14 September 2023

Deadline to establish whistleblower schemes for medium-sized companies approaching

logo
Technology

31 August 2023

New guidance from the Danish Data Protection Agency on direct marketing

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Managing associate (on leave)