Cloud services in the public sector: EDPB report and observations by the BE DPA
The EDPB published a report on the findings of its first coordinated enforcement action, which focused on the use of cloud-based services by the public sector. The report includes a set of recommendations for data controllers using cloud services. In the annex, the Belgian Data Protection Authority (BE DPA) provides its observations at national level.
In February 2022, the BE DPA decided to participate in the first annual coordinated action of the EDPB. A total of 22 national supervisory authorities across the EEA had responded and initiated actions in this respect. The BE DPA collected information by means of a questionnaire from ICT providers for public bodies on the one hand, and from public organisations that process large volumes of health data on the other.
The answers of the public bodies involved in this action in Belgium have been used for the drafting of a national report which is annexed to the report published by the EDPB.
In this report, the DPA recalls the importance of, inter alia:
- consulting the Data Protection Officer (DPO) before selecting a cloud service provider;
- carrying out a data protection impact assessment (DPIA) before selecting and using cloud services;
- including detailed data protection requirements in tender and public procurement documents.
To conclude this awareness-raising action, the BE DPA sent a table with observations to the Belgian organisations surveyed, based on their specific replies, which will enable them to make a self-assessment and to take the necessary measures to bring the use of cloud services in line with data protection requirements.
The next annual coordinated action of the EDPB will focus on the designation and role of the Data Protection Officer. The DPA, for which the DPO is one of the 2023 priorities, is already planning to participate in this action.
The full EDPB report and the national annexes are available on the website of the EDPB.