Stockholm University are responsible for personal data processed in a cloud service, even if a cloud service provider (with or about a subcontractor) is contracted to carry out the processing.  Cloud service providers contracted, including their subcontractors, are "personal data processors". If Stockholm University is to make use of a cloud service in order to, for example, store personal data then the University loses actual control over that personal data. It is therefore very important that the personal data controller ensures that the GDPR and other applicable laws are followed when personal data is processed in such a way. 

Those who are considering making use of a cloud service must go through the requirements established by the GDPR and other applicable laws in good time in order to decide if there are obstacles or risks regarding the use of a cloud service. An important first step is to establish what type of personal data is to be processed in a cloud service and why. It may be unsuitable or actually illegal to use cloud services for certain of the activities of Stockholm University, which is why contact should be made with the Stockholm University data protection ombudsperson.  One thing that must be investigated is whether the data to be managed is sensitive or certified as confidential and it is also important to clarify whether the personal data is present in public documents or not. Processing of personal data in a cloud service may actually lead to documents which are not public being viewed as expedited to the cloud service provider.            [df1] This would mean that the data would change status and become public documents. 

The Swedish Data Protection Authority stipulates that the following must be done before cloud services are used:  

  • Control of legality
  • Risk and vulnerability analysis
  • Personal data processing agreement
  • Control of processors
  • Control of processing in third countries

Contact the Universitydata protection ombudsperson for support.

Control of legality

Before a decision is taken to begin using the cloud service, Stockholm University must first decide whether it is actually permitted to process the personal data in question under the GDPR.

When it has been established that Stockholm University is permitted to process this personal data, it must then be ascertained whether the processing that the cloud service provider would carry out is permitted. The personal data processor may only process personal data in accordance with instructions from the personal data controller. These instructions would normally be created by the personal data controller. In many cases, however, the cloud service provider has "standard" agreements which maybe signed with customers. In such cases the personal data controller must investigate the conditions of these agreements and make an assessment based on the GDPR and on the personal data controller's risk and vulnerability analysis regarding whether such a standard contract may be signed or not. 

For the legality check it is important to know which providers will manage the personal data, how the personal data will be managed and where, geographically, the information will be stored. The GDPR places extensive requirements on Stockholm University to provide transparency and to be able to control the processing of personal data carried out by a personal data processor.

The Swedish Data Protection Authority stipulates that the personal data controller must:

  • determine whether there is a risk that the personal data may be processed for purposes other than the original ones
  • determine whether the cloud service provider might transfer personal data to a third country, and whether such a transfer would be supported by the GDPR
  • assess which security measures must be taken to protect the personal data
  • draw up a personal data processing agreement with the cloud provider
  • Ensure that other legislation is followed, such as the Public Access to Information and Secrecy Act, the Archives Act and any special statues.

Risk and vulnerability analysis

Article 32 of the GDPR stipulates that the personal data controller shall take appropriate organisational security measures in order to ensure a level of security appropriate for the processing. Carrying out a risk and vulnerability analysis is one example of such a security measure. Before the personal data controller contracts a cloud service supplier a risk and vulnerability analysis must be carried out to determine whether it is actually possible to use the cloud service provided, what security level would be appropriate for the processing and what measures must be taken. 

The greater the privacy risk a certain personal data processing job presents, the greater the requirements for the security measures. What may determine the magnitude of the privacy risk is, for example, the number of people the information refers to, the amount of information processed on each person and the sensitivity of the processed personal data. Authentication, authorisation management, authorisation control, communication security, processes for security copying and destruction plus protection against unauthorised access and harmful software shall be examined in the risk and vulnerability analysis. 

When sensitive personal data is processed, information about legal infringements and confidentiality protected information, the Swedish Data Protection Authority requires strong authentication measures during the transfer of data over the open web and also that the data be protected by encryption. When such data is processed there are often requirements for control of receipt where the personal data controller regularly and systematically follows up who has taken receipt of what information.

Contact the University data protection ombudsperson for help in carrying out a risk and vulnerability analysis.

Personal data processing agreements

When a personal data controller employs a personal data processor a personal data processing agreement must be signed, containing the information and requirements stipulated by the GDPR. Cloud service providers often have their own standard agreements with limited possibility of amendments but this does not excuse Stockholm University from the duty of having a personal data processing agreement which meets the requirements of the GDPR. 

Contact the University data protection ombudsperson for support in designing or examining a personal data processing agreement.

Control of processors

The personal data controller must check that the personal data processor and any subcontractors actually implement the security measures required to fulfil the requirements stipulated by the GDPR. The more sensitive the personal data processed, the greater the requirements for this control, but it also becomes more difficult to fulfil the security measures due to the fact that the personal data processor may process personal data for many different clients, employ various subcontractors, move the information, process the personal data in several countries etc. The more transparent the work of the cloud service provider and any subcontractors, the easier it is to carry out necessary controls of how the provider processes the personal data in accordance with the GDPR.

Control of processing in third countries

If personal data is to be processed by personal data processors in a country outside the EU/EEA the personal data controller must ensure that the personal data processor or any subcontractor who might process the personal data is permitted to do so. Stockholm University must therefore ensure that one of the exemptions from the prohibition against transfer to third countries can be applied and that other rules in the GDPR are followed. Exemptions from the prohibition against transfer of personal data to third countries may occur in the following circumstances: 

Decision on adequate level of protection

  • Examples of suitable protection measures are standard contract clauses or binding corporate rules, (BCRs)
  • Special permission from the Swedish Data Protection Authority
  • Consent or in other specially determined situations
  • One-time transfers

Contact the University data protection ombudsperson if personal data is being transferred to a third country. 

 

 

 [df1]Think I've translated the precise meaning of the sentence but do not really understand the context of the original