EN
Technology

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Legal news
calendar 22 September 2022
globus Denmark

The Danish Data Protection Agency has initiated supervisory visits with the use of the cloud services in two companies following its updated guidance on the subject. Cloud solutions is a necessity in most companies, and is, naturally, therefore also an important focus area on from a data protection perspective. On supervisory visits, companies should be prepared for a series of specific questions on the use of the services.

Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-ressources as part of the daily operations.

However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.

Companies are accountable in the event of a cloudburst

Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:

  • Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
  • Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
  • Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
  • International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)

During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.

IUNO’s opinion

The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it diffult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.

IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.

[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]

Cloud solutions is the norm in most companies to either a smaller or greater degree. In many companies, solutions such as OneDrive, Dropbox or iCloud are practical it-ressources as part of the daily operations.

However, the use of cloud solutions come with a responsibility. Ultimately, companies are accountable for ensuring that the solution complies with the applicable data protection rules. It is therefore important that the underlying agreements for the use of cloud solutions takes a number of issues into account and that companies carefully consider such issues prior to implementing the solution. This is exactly what the Danish Data Protection Agency is currently testing a larger insurance company and rescue company for.

Companies are accountable in the event of a cloudburst

Besides for different more general questions, the Danish Data Protection Agency tests four different elements during supervisory visits which focuses on the use of cloud solutions:

  • Knowledge of the solutions (focus on the name of the solution, processing activities, types of data, categories of data subjects, measures in place to address potential risks, etc.)
  • Knowledge of the suppliers (focus on what compliance level the supplier guarantees, screening of suppliers, sub-processors, international transfers, etc.)
  • Control with suppliers (focus on procedures in place, annual wheels and similar control schedules for suppliers, including frequency and intensity of such control, how deviations and new practices are addressed, etc.)
  • International transfers (focus on how transfers to third countries are identified and managed, instructions and the legal basis for such transfers, elements compromising the security in the third countries, etc.)

During supervisory visits, the Danish Data Protection Agency may also request documentation from the company. Depending on the circumstances, documentation may include data processor agreements, policies, procedures, annual wheel, reports, standard contractual clauses, records of processing activities and similar documents.

IUNO’s opinion

The data protection rules are technology neutral, which means that companies in principle are free to choose the most suitable solution depending on operational needs. While this flexibility creates lots of opportunities, it also brings different pitfalls – making it diffult to navigate for most companies. The two supervisory visits that the Danish Data Protection Agency currently is carrying out will therefore be interesting to follow.

IUNO recommends that companies becomes familiar with the different questions that the Danish Data Protection Agency will ask in the event of a supervisory visit. Companies can benefit from taking a look at whether relevant documentation is up to date in this connection. That way, it will be possible to document that the applied cloud solutions comply with the rules. If the cloud solutions do not comply with the data protection rules, it can lead to large fines. We have written more about this here.

[The Danish Data Protection Agency’s letters regarding supervisory visits on the use of cloud to Topdanmark Forsikring A/S and Falck Healthcare A/S of 28 June 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

8 September 2022

Cyber-attack will become expensive for law firm

logo
Technology

25 August 2022

Faulty deletion of data makes the Danish Data Protection Agency fine publishing house

logo
Technology

16 June 2022

Unfortunate software update gave thousands of employees access to job applications

logo
Technology

2 June 2022

Failure to inform shareholder breached the data protection rules

logo
Technology

28 April 2022

First fine to a public authority for breach of the data protection rules

logo
Technology

31 March 2022

New guidelines clarify when processing is an international data transfer

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate