How to interpret the new European rules for cloud services

How to interpret the new European rules for cloud services

The rules require companies to rethink the management of the data they control and the service providers that concern the cloud

The cloud (Getty Images) * By Fabia Cairoli, Dentons associate; Cecilia Canova, Trainee of Dentons; Marco Propato, Dentons trainee

The use of increasingly advanced solutions involves the need to adapt to multiple regulatory provisions. The latter are interconnected, proof of a governance ecosystem that requires more and more transversal interventions and, perhaps, the rethinking of a business organization that is often based on a rigid division of competences.

This is what less, the feeling that is felt when evaluating two of the most recent innovations that insist on the cloud solutions market. On the one hand, the new Standard contractual clauses (SCC) models, which require companies to rethink the management of the data they control. In the review of the personal data flows that characterize all companies - at least, the most virtuous ones that are proceeding according to the dictates of the European data protection board (Edpb), recently summarized in the Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (recommendations) - an active interaction with cloud solutions providers is required, to "rethink" the existing contractual models as well.

On the other hand, it seems interesting what was introduced by ESMA (European securities and markets authority) with the recent Guidelines on outsourcing to cloud service providers (guidelines), published last May and whose application is expected from 31 July 2021. Although the guidelines are aimed at a specific market sector, it is important to observe its provisions, which may well be of interest - and application - for all parties peratori.

Personal data transfers

In light of the recommendations, companies should reconsider their contractual relationships with cloud solutions providers. However, the approach must be methodical: first of all, there are no solutions that are always suitable for every country of data import and for every type of processing. In part, since jurisdictions that present critical profiles from a privacy profile (for the various aspects connected to this, refer to the epic of the so-called Schrems ruling), they may not concern a particular operator. We must therefore ask ourselves, on the basis of the legislation in practice applicable, which problems (regulations, and not only) are referable, and pertinent, with respect to one's own business area.

Elsewhere, as solutions often invoked by companies, they may not actually be useful or applicable to a specific treatment: the use of the so-called turnkey encryption (at rest, in transit and so on and so forth) - that is, ensuring that the exporter maintains control of access to data - is not always possible and / or recommended. There are several services that rely on the cloud that are incompatible with such a technical solution, if only because they force you to give up essential features of these services or basic security standards, which could not operate in the absence of a "control" of the data. by the provider of the cloud solution.

The minimum content of the supply agreement

The guidelines recall some obligations (such, at least, for the actual recipients of the ESMA provision) that they also appear to be significant for other operators using outsourced cloud services. It is important to identify, in a written agreement, the rights and obligations of cloud service providers, also including:

a clear description of the outsourced function;

if sub-outsourcing is allowed and, if so, under what conditions;

precise provisions on incident management.

Treatment agreements

Cloud service providers are outsourced, according to the provisions of the Gdpr, must be adequately appointed as data processors. Particular attention should be paid to:

the organization of information security;

the possibility or not of sub-outsourcing services;

the effective exercise of access and audit;

the place where personal data will be processed.

Security management

Managing information security also means managing any risks associated with processing of the same information. To prevent and deal with these risks, it is therefore necessary that companies proceed to implement technical and organizational security measures that take into account the state of the art and the main international standards of reference and that range, by way of example only, from management of material and human resources to physical security of the environments and from encryption of communications to incident management. The invitation to this effect can be traced back to multiple sources: from the Gdpr to the guidelines, passing through the SCCs and recommendations.

The exit strategies

In the negotiation of cloud outsourcing contracts it is It is essential to ensure conditions that allow its effects to cease, where necessary, without causing damage to the users of its services. In short, the guidelines emphasize the principle of ensuring business continuity, protecting the confidentiality of information but also the reliability of the data used (in terms of integrity and availability). Esma suggests a concrete approach: assigning roles and tasks to ensure an effective exit strategy, also testing the potential costs, impact, timing of its implementation.


What appears increasingly evident in the cloud services sector, is the tendency of the legislator to tighten his grip on some key profiles, intervening through various regulatory instruments. The provisions of the SCCs are also substantially recalled by the guidelines, which highlight the need to assess "the political stability, the security situation and the legal system [...] of the countries [...] in which the outsourced functions will be carried out and where the outsourced data will be kept ".

And, again, ESMA's position on the minimum content of a supply agreement evokes the dictates of the GDPR, in terms of managing the supply chain of those responsible (and sub) but also of the management of security incidents. Moreover, various operators adhere to self-regulation tools, as in the case of the EU Data Protection Code of Conduct for cloud service providers, which has also received formal approval from the Belgian supervisory authority and the EDPB. Therefore, in an increasingly stratified framework, ensuring compliance becomes complex: not only with regulatory provisions but also with high market standards, especially in the face of an idea of ​​accountability that aggravates the burden of responsibility of companies. And this is why the processes must be designed in an integrated way and the solutions must be aimed at the service of multiple problems: only in this way can the measures adopted be effective but also efficiency in terms of connected costs and harmonization of solutions.

Business - 20 hours ago

What the government decided on the national cloud. And what's still missing

Italy intends to arm some of the Air Force drones

Russia has blocked access to popular VPN services


Cloud computing Cybersecurity Gdpr Legal Privacy globalData.fldTopic = "Cloud computing, Cybersecurity, Gdpr, Legal, Privacy "

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

Powered by Blogger.